How To Handle A GDPR Deletion Request For Your UK Business

If you run a small business, you’re probably collecting personal data every day - customer emails, booking details, delivery addresses, staff records, website analytics, and more.

So when someone emails asking you to “delete all my personal data”, it can feel a bit stressful. What do you actually have to delete? How quickly? And what if you can’t delete it because you need it for legal or accounting reasons?

The good news is that a GDPR deletion request is manageable when you have a clear, repeatable process. In this guide, we’ll walk you through how to handle a GDPR deletion request in a way that protects your business and keeps you aligned with UK GDPR and the Data Protection Act 2018.

What Is A GDPR Deletion Request (And Is It The Same As The “Right To Be Forgotten”)?

A GDPR deletion request (sometimes called a GDPR request to delete personal data) is when an individual asks your business to erase their personal data.

This comes from the “right to erasure” under UK GDPR (often referred to as the “right to be forgotten”). It doesn’t mean you must delete everything in every scenario - but it does mean you must take the request seriously, assess it properly, and respond within the required timeframes.

Who Can Make A Deletion Request?

Usually, it’ll be:

• Customers (e.g. someone who bought from your online shop)
• Leads (e.g. someone who enquired but didn’t buy)
• Subscribers (e.g. your marketing list)
• Employees or contractors (less common, but possible)
• Former customers who want their account removed

What Counts As “Personal Data”?

Personal data is information that identifies someone (directly or indirectly). Common examples in a small business include:

• Name, email address, phone number
• Postal address and delivery details
• Account login details
• IP addresses and online identifiers
• Customer notes and support tickets
• Staff HR records

A strong Privacy Policy helps set expectations by explaining what data you collect, why you collect it, and how long you keep it.

When Do You Have To Delete Personal Data Under UK GDPR?

In plain terms, you generally have to erase personal data if you don’t have a good legal reason to keep it.

Under UK GDPR, a business must delete personal data in certain situations, including where:

• You no longer need the data for the purpose you collected it for (e.g. you collected data for a quote, the quote is done, and you don’t need it anymore).
• The person withdraws consent and you were relying on consent as your lawful basis (e.g. marketing emails).
• The person objects and you don’t have overriding legitimate grounds to continue processing.
• The data was processed unlawfully (e.g. collected without a valid lawful basis).
• You have a legal obligation to erase it under other laws.

But You Don’t Always Have To Delete Everything

This is where many small business owners get caught out: a deletion request under UK GDPR is not an automatic “yes”. UK GDPR also includes exceptions.

You may be able (or required) to keep certain data if it’s necessary for things like:

• Compliance with a legal obligation (for example, record-keeping obligations under tax/accounting rules - this is general information, not tax advice)
• Establishing, exercising, or defending legal claims (for example, if there is an ongoing dispute or you reasonably anticipate one)
• Freedom of expression and information (less common for typical SMEs, but relevant in media/publishing contexts)
• Public interest / official authority (generally not relevant to most private SMEs)

Practically, this means you might delete marketing records and CRM notes, but keep invoice data that you must retain for accounting purposes.

Step-By-Step: How To Respond To A GDPR Deletion Request

To handle a GDPR deletion request properly, you want a consistent workflow that your team can follow every time.

1) Record The Request Immediately

As soon as you receive the request (email, web form, message, or letter), log it internally. You should record:

• Date received
• Who made the request
• What they asked for (delete everything? delete marketing only?)
• Who in your business is responsible for handling it
• Deadline to respond

Many small businesses use a simple spreadsheet. Larger teams may use a ticketing system.

It also helps to have an internal process or template, like an Access Request Form, so requests don’t get lost or handled inconsistently.

2) Verify The Person’s Identity (Where Needed)

You don’t want to delete the wrong person’s data based on a spoofed email.

If you already have a secure account login and the request comes from that logged-in user, identity verification might be straightforward.

If not, you can ask for reasonable evidence of identity - but keep it proportionate. For example, you might ask them to confirm:

• the email address used in transactions
• their last order number
• the billing address you have on file

Try not to collect extra data just to verify them, and don’t create unnecessary barriers (that can create complaints).

3) Clarify The Scope (If The Request Is Broad Or Unclear)

Sometimes someone says “delete everything” but what they really want is:

• to close an account
• to stop marketing emails
• to remove a review/profile photo

You can reply with a short clarification question. This can save a lot of time (and avoid accidental deletion of records you still legitimately need).

4) Identify What Data You Hold And Where It Lives

This is usually the hardest part for SMEs, because personal data isn’t only in one place.

Do a quick “data map” for that individual across:

• Your CRM and email marketing platform
• Your ecommerce platform and payment records (note: you may not control all payment processor data)
• Customer support inboxes and ticketing tools
• Cloud storage (documents, PDFs, proposals)
• Spreadsheets and shared drives
• Employee devices (where your policies allow data storage locally)
• Backups (important - see below)

This is also why having a sensible retention framework matters. If you’re not sure what retention should look like, having a clear approach to data retention periods can make deletion requests far easier to handle.

5) Decide What You Can Delete vs What You Must Keep

At this stage, decide:

• Data to erase (e.g. marketing subscription, notes that are no longer needed, inactive user profiles)
• Data to restrict (e.g. you keep it but stop using it for most purposes, where appropriate)
• Data to retain (e.g. invoices, payment records, contract documentation) because you have a lawful reason to keep it

If you’re relying on an exception (like legal obligation or legal claims), document that decision. If the person complains to the ICO, you’ll want to show your reasoning.

6) Delete Securely And Consistently (Including Third Parties)

Deletion should be done securely. That can include:

• Deleting records from your systems (not just “archiving” them if they remain accessible)
• Deleting attachments containing personal data
• Updating suppression lists for marketing (so you don’t accidentally re-add them later)
• Instructing relevant processors (suppliers who process data on your behalf) to delete where required

Remember: if you use third-party suppliers to process personal data, your contracts and privacy compliance documents should support that. Many businesses pull these obligations together in a GDPR Package to avoid scrambling when requests arrive.

7) Respond Within The Legal Time Limit

In most cases, you must respond to a rights request (including a deletion request) without undue delay and within one month.

You can extend by up to two further months if the request is complex or you receive multiple requests - but you should tell the individual within the initial one-month period and explain why you need extra time.

Your response should confirm:

• what you deleted (high level)
• what you’ve kept and why (if applicable)
• what steps you took (e.g. “we have instructed our service providers to delete X” where relevant)
• their right to complain to the ICO if they’re unhappy

Tricky Areas For Small Businesses (And How To Handle Them)

Some parts of a GDPR deletion request are straightforward. Others need a bit more care.

Backups: Do You Need To Delete From Backups Too?

Backups are a common headache. In many SME setups, personal data can exist in backups that aren’t designed to be searched and edited record-by-record without undermining the integrity of the backup system.

UK GDPR doesn’t give an automatic “backup exemption”, but in practice a common approach is to:

• delete the data from your “live” systems (and any other readily accessible locations)
• make sure the data isn’t put back into live systems as part of normal operations (for example, by using appropriate safeguards if disaster recovery restores data)
• let backup copies expire and be overwritten as part of your normal backup lifecycle (provided that lifecycle is reasonable and documented)

What’s appropriate depends on your systems, the sensitivity of the data, and what’s technically feasible. If you’re unsure, or you process special category data, getting tailored advice is worth it.

Invoices, Contracts, And Legal Claims

Even if a customer wants everything deleted, you may need to retain certain records:

• invoices and transaction records for tax and accounting
• contracts (or order confirmations) to evidence terms agreed
• communications relating to disputes, refunds, or chargebacks

The key is transparency: explain what you’re retaining and why, and keep it for no longer than necessary.

Staff Handling Requests (And Avoiding Mistakes)

Deletion requests often land in a general inbox, with a team member replying quickly to be helpful - and that’s where mistakes happen.

To avoid issues, you should:

• train staff on how to spot a rights request
• have a single point of escalation internally
• use an internal policy so everyone follows the same steps

This is also where workplace systems and policies matter, especially if staff use company devices to access customer data. A clear Acceptable Use Policy can reduce the risk of personal data being scattered across devices and apps you can’t control.

What If The Request Is Unfounded Or Excessive?

In some limited cases, you may be able to refuse a request or charge a reasonable fee - for example, if a request is manifestly unfounded or excessive.

This is a high threshold, and you should be careful. If you’re thinking about refusing, get advice first so you don’t accidentally create an ICO complaint or enforcement risk.

How To Reduce The Risk Of Getting Deletion Requests Wrong

Most businesses don’t get in trouble because a deletion request comes in - they get in trouble because the response is late, inconsistent, or poorly documented.

Here are practical ways to reduce risk from day one.

Create A Simple Rights-Request Process

You want your team to know exactly what to do, even on a busy day. At a minimum, set out:

• where requests should be sent
• who manages them
• how to verify identity
• how to check retention obligations
• how to respond within the deadline

Keep Your Privacy Documents Up To Date

If you’re collecting personal data (and most businesses are), you should make sure your privacy compliance is up to scratch - including your Privacy Policy, internal practices, and any processor arrangements.

When documents don’t match reality, that’s when you get problems. For example, if your Privacy Policy says you delete customer data after 12 months, but your systems keep it indefinitely, a deletion request can expose that gap very quickly.

Prepare For Mistakes (Because They Happen)

Sometimes the issue isn’t the deletion request itself - it’s what you find while dealing with it (for example, you discover data is stored in an insecure place, or sent to the wrong person).

If something goes wrong, having a plan matters. A Data Breach Response Plan can help you act quickly and consistently if you uncover a privacy incident while processing a request.

Get Advice Before You Scale

When you’re small, it’s tempting to “deal with privacy later”. But once you’ve grown a mailing list, hired staff, and built multiple systems, deletion requests become much harder to manage.

A quick Data Protection Consultation can help you put sensible processes in place early, so you’re not patching problems under pressure later.

Key Takeaways

• A GDPR deletion request is a formal request for your business to erase personal data, and you must respond within the UK GDPR timeframe (usually one month).
• You don’t always have to delete everything - you may retain certain data where you have a lawful reason, such as legal obligations (e.g. record-keeping you’re required to do) or legal claims.
• Your best “first move” is to log the request, verify identity where needed, clarify scope, and map where the data is stored before deleting anything.
• Deletion should be done securely and consistently across your systems, and may also involve instructing your suppliers (processors) to delete data they hold on your behalf.
• Clear retention periods, privacy documents, and internal policies make GDPR deletion requests far easier to handle and reduce the risk of late or inconsistent responses.
• If you’re unsure about refusing a request, handling backups, or relying on an exception, it’s worth getting tailored legal advice before responding.

If you’d like help putting the right GDPR processes in place - or you’ve received a GDPR deletion request and want to make sure your response is compliant - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.