How To Handle Data Deletion Requests Under UK Privacy Law: A Guide For Businesses

Handling personal data is part and parcel of running a business in the UK today - whether you’re running an e-commerce site, marketing agency, coffee shop, or SaaS platform. But what happens when a customer, employee, or other data subject asks you to delete their personal data?

These "data deletion requests" (sometimes referred to as the "right to erasure" or "right to be forgotten") are a crucial part of modern privacy law in the UK. If you’re not sure how to respond - or worried about getting it wrong - don’t stress. With some practical steps and the right legal know-how, you can handle data deletion requests confidently and stay compliant.

In this guide, we’ll walk you through what a data deletion request is, why it matters, the exact steps you should take as a business owner, and how to avoid common pitfalls. We’ll also cover the legal framework, tips for best practice, and what to do when deletion isn’t straightforward. Let’s get started!

What Is A Data Deletion Request?

Put simply, a data deletion request is when an individual (such as a customer, employee, or user) asks you to erase their personal data from your systems. This right is covered by both the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which together make up the key privacy laws for UK businesses.

Under Article 17 of the UK GDPR, individuals can ask for their personal data to be erased in certain circumstances. Typical triggers for a deletion request include:

• The data is no longer needed for the original purpose
• The individual withdraws consent (and there’s no other legal reason to keep it)
• The data was processed unlawfully
• The business is complying with a legal obligation to erase the data

While the right to erasure isn’t absolute (meaning you don’t always have to delete upon request), there are strict obligations for how businesses must handle and respond.

Why Is Responding To Data Deletion Requests So Important?

Ignoring or mishandling a data deletion request can quickly land your business in hot water. Here’s why it matters:

• Legal Compliance: The UK GDPR and Data Protection Act 2018 are not optional - all UK businesses must comply, no matter their size.
• Risk Of Fines: The Information Commissioner’s Office (ICO) can issue fines for non-compliance, and the reputational fallout can be just as damaging.
• Building Trust: Customers increasingly value their privacy. Showing you take deletion requests seriously builds loyalty and confidence in your brand.

Whether you run a tech start-up or a local shop, getting these legal steps right is crucial to protecting your business as you grow.

What Laws Apply To Data Deletion Requests In The UK?

Two main privacy laws form the backbone for handling data deletion requests in the UK:

• UK GDPR: This sets out individuals’ rights regarding their personal data, including the “right to erasure”. All UK businesses processing personal data (including sole traders, companies, and partnerships) are covered.
• Data Protection Act 2018: This supplements the UK GDPR, includes additional requirements, and gives the ICO its enforcement powers.

In the simplest terms, if your business collects, uses, or stores personal information about individuals in the UK, you need to comply with these laws - and take deletion requests seriously.

Need a refresher on GDPR basics? We've put together a practical overview to get you up to speed.

Who Can Make A Data Deletion Request?

Any individual whose personal data you process can make a deletion request. This includes:

• Customers or clients
• Website users (even if just visiting your site or subscribing to emails)
• Employees, contractors or job applicants
• Members, subscribers, or any type of data subject

The request doesn’t need to follow formal wording or a specific format - an email, web form, letter, or even a phone call may count as a valid request. You might want to provide a clear, simple way (e.g., a privacy contact email) for users to make requests as part of your Privacy Policy and user-facing documents.

When Must You Comply With A Deletion Request?

You are generally required to erase personal data when one of the following applies:

• The data is no longer needed for the purpose it was collected
• The individual withdraws their consent and there’s no other lawful basis to continue processing
• The individual objects to processing and there are no overriding legitimate grounds to retain the data
• The data has been unlawfully processed
• You’re required to erase the data to comply with a legal obligation

However, there are exceptions. For example, if you need to keep the data for compliance with a legal obligation (like tax laws) or for defending legal claims, you may be able to refuse the request. You must inform the requester of your reasons if you decide not to erase some or all of their data.

For a more detailed explanation, visit our guide on GDPR right to erasure and deletion requests.

How Should Your Business Respond To A Data Deletion Request?

Here’s a simple step-by-step process you can follow:

1. Acknowledge The Request Promptly

There’s no need to panic! As soon as you receive a deletion request, acknowledge it in writing (usually by email) and let the requester know you’re dealing with it. The law requires you to respond “without undue delay and within one month” (in some cases extendable by two months for complex requests).

2. Verify The Individual’s Identity

Before taking any action, make sure you’re dealing with the correct person. You don’t want to delete data based on a fraudulent or mistaken request. If in doubt, ask for additional verification (like confirming their email address, user ID, or other identifier).

3. Assess Whether The Request Is Valid

Work out which data the individual is referring to, and whether you’re legally required to erase it. If the request covers data you must retain (for example, to satisfy HMRC record-keeping rules or comply with another legal duty), you can refuse-but you must tell the person why.

4. Erase The Data (Where Required)

Take steps to erase the relevant personal data from all systems (including backups and third party systems where reasonable). If you’ve shared the data with others (like cloud providers or partner organisations), let them know too - you’re expected to take “reasonable steps” to ensure the information is erased elsewhere as needed.

5. Record Your Actions

Keep a record of the request, your decision, and any actions taken. This is essential for compliance in case the ICO investigates or the data subject escalates their request.

6. Respond To The Individual

Let the individual know what you’ve done (or the reasons you were not able to delete everything). Your explanation should be straightforward and clear-avoid legal jargon where possible. This transparency is crucial for building trust and complying with the law.

Want more guidance? Read our step-by-step GDPR deletion deadlines overview: Meeting GDPR Deadlines With Ease.

Key Pitfalls To Avoid With Data Deletion Requests

It’s not enough just to hit “delete” and move on. Here are some common traps to look out for:

• Ignoring Or Delaying A Request: There are strict deadlines for responding - don’t let deletion requests gather dust in your inbox.
• Inconsistent Deletion: Make sure you erase all copies of the personal data, including “hidden” files, backups, and information shared with third parties.
• Failure To Keep Records: Always document requests and your responses. This covers you in case of disputes or ICO complaints.
• Deleting Data You Must Keep: Don’t delete data you’re legally required to retain (e.g., business records for tax). If you refuse a deletion request for this reason, explain clearly and record your decision.

Ultimately, having robust procedures and a clear data retention policy makes it much easier to manage requests and stay on the right side of the law.

What If You Can’t (Or Shouldn’t) Delete Data?

There are some situations where you legitimately can’t erase all the requested data. The UK GDPR allows you to refuse a data deletion request if retaining the data is necessary for:

• Compliance with a legal obligation (e.g., employment, tax, or financial regulations)
• Establishing, exercising, or defending legal claims
• Freedom of expression and information
• Public interest in the area of public health or research

If you refuse all or part of a request on these grounds, you need to:

• Inform the individual of the specific reasons you’re not erasing the data
• Let them know about their right to complain to the ICO or seek legal recourse

Not sure how to respond? See our guidance on SAR exemptions when you may refuse a data request under GDPR.

Best Practices For UK Businesses Handling Deletion Requests

To make handling requests stress-free (and stay protected from day one), it’s wise to:

• Have a clear Privacy Policy explaining the right to erasure and how to make requests
• Designate responsibility - choose a staff member or team for handling privacy enquiries
• Implement a record-keeping system for requests and your business’s response actions
• Train staff regularly on privacy compliance and handling deletion procedures
• Review data retention policies and minimise unnecessary storage (less stored data = less to delete)
• Use clear consent forms and privacy notices to clarify what is collected and how it will be erased

And remember: it’s always better to plan ahead. If you’re not sure whether your contracts, policies, or systems are up to scratch, get tailored advice from a privacy law expert. Small oversights can turn into big headaches down the track!

Need a template, or unsure what to say to customers? We can help you create compliant policies and letter templates for all your privacy needs.

What Happens If You Get Data Deletion Requests Wrong?

Data protection is taken seriously in the UK, and there are real consequences if you ignore or mishandle deletion requests. These include:

• ICO investigations and possible enforcement actions
• Fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious breaches
• Reputational damage and loss of customer trust
• Potential complaints or claims from individuals whose rights have been breached

On the flip side-getting your privacy compliance right can help you stand out for trustworthiness, win new business, and avoid unnecessary risks as you grow.

Want to see real-world scenarios? Read our guide on GDPR breaches and next steps for UK businesses.

Key Takeaways

• A data deletion request gives individuals the right to ask you to erase their personal data in certain situations. Responding promptly and correctly is a key legal responsibility for all UK businesses.
• The UK GDPR and the Data Protection Act 2018 govern your obligations. Almost every UK business handling personal data must comply-no matter the size or sector.
• Follow a clear six-step process: acknowledge, verify, assess, erase, record, and respond. Only refuse if a recognised exemption applies, and always keep good records.
• A well-drafted Privacy Policy, internal procedures, and proper staff training are vital for smooth handling of requests and minimising risks.
• Failing to get this right can result in regulatory action, big fines, and reputational damage - but proactive compliance builds customer trust and sets your business up for lasting success.

If you need support handling data deletion requests, setting up robust privacy policies, or reviewing your compliance processes, Sprintlaw’s friendly team can help. You can reach us at team@sprintlaw.co.uk or call 0808 134 7754 for a free, no-obligations chat about your business needs.