Right To Be Forgotten In The UK: What Businesses Should Know

If your business collects any personal data – names, emails, purchase history, CCTV footage, support tickets, job applications – you’ll likely receive a request at some point from someone asking you to “delete my data.”

Under UK GDPR, individuals have the “right to be forgotten” (also called the right to erasure). For small businesses, the trick is knowing when you must erase data, when you can refuse, and how to handle requests quickly and lawfully without disrupting day‑to‑day operations.

This guide breaks it down in plain English. We’ll cover your obligations under UK law, practical steps to follow, and how to build lightweight processes so you’re protected from day one.

What Is The Right To Be Forgotten Under UK Law?

The “right to be forgotten” comes from Article 17 of the UK GDPR, as supplemented by the Data Protection Act 2018. In short, individuals can ask you to delete their personal data in certain circumstances. That includes data that directly or indirectly identifies a person – for example, their email address, IP address, profile data, purchase history, or recorded calls.

As a small business, you’re a “controller” if you decide why and how personal data is processed. Controllers must:

• Respond to valid erasure requests without undue delay (generally within one month).
• Erase personal data where an applicable ground is met, unless an exemption applies.
• Notify any “processors” (your vendors who handle data on your behalf) and, where feasible, other recipients to erase copies or links to that data.
• Keep a record of requests and how you handled them (for accountability).

Importantly, the right to be forgotten is not absolute. It applies only in specific scenarios, and there are clear exemptions that allow you to retain data (for example, for legal claims or compliance).

You’ll also need transparent notices explaining how you handle data and deletion requests. Having a clear, bespoke Privacy Policy on your website or app is essential so customers know how to contact you and what to expect.

When Must You Erase Data - And When Can You Refuse?

Think of the right to be forgotten as a balancing exercise. You look at the reason the person is asking for deletion and weigh it against your lawful basis for holding the data and any overriding obligations you have.

When You Must Erase

Under UK GDPR, you generally need to erase data if one of the following applies:

• You no longer need the data for the purpose you collected it.
• The individual withdraws consent and you have no other lawful basis (e.g., you were using consent for marketing, and they opt out).
• The individual successfully objects to processing and there are no overriding legitimate grounds to continue.
• You processed the data unlawfully (for example, collected more data than necessary without a lawful basis).
• You must erase to comply with a legal duty (for instance, a court order).
• You collected the data in relation to online services offered directly to a child, and special protections apply.

Where possible, you should also take reasonable steps to tell third parties you’ve shared that data with to delete it. If the data has been made public (for example, a blog post on your site), you may need to take steps to remove links or copies. The scope is “reasonable” given technology available and cost of implementation.

When You Can Refuse

There are several lawful grounds for saying “no” (or for limiting deletion, such as moving to suppression). Common examples include:

• You need to keep the data to comply with a legal obligation (e.g., tax record-keeping).
• You need the data to establish, exercise, or defend legal claims (for example, a potential dispute about a contract or refund).
• Erasure would seriously impair the exercise of freedom of expression and information (typically a media context).
• Public interest reasons in public health or archiving/research where erasure would seriously impair processing (less common for SMEs).
• It’s not reasonably possible to identify the person (for example, fully anonymised data falls outside UK GDPR).

Where it’s more appropriate to stop using the data but keep a minimal record to avoid contacting the person again, suppression rather than deletion can be appropriate – particularly for direct marketing databases. In practice, a “do not contact” list helps you prove you’ve honoured their wishes while avoiding accidental reactivation.

Be cautious, though. Decisions are fact‑specific and need a clear rationale. If you do refuse, explain why and tell the individual about their right to complain to the ICO and to seek a judicial remedy. For a deeper dive into the circumstances and decision points, it’s worth reading about data deletion and how the lawful bases interact with erasure requests.

How To Handle A Right To Be Forgotten Request (Step-By-Step)

A simple, repeatable workflow will save you time and reduce risk. Here’s a practical process you can adapt for your business.

1) Log And Acknowledge The Request

Set up a central inbox (e.g., privacy@yourbusiness.com) and a request log. Acknowledge the request promptly and confirm the deadline (usually one month). If you need to confirm identity to stop unauthorised deletion, ask for reasonable verification (e.g., confirming a control code or sending from the registered email).

Timeframes for erasure requests typically mirror those for DSARs. If deadlines trip you up, build a calendar reminder system – this is the same discipline used for GDPR data request deadlines.

2) Locate The Data

Map where personal data sits across your systems:

• Core platforms: CRM, email marketing, ecommerce, helpdesk, booking tools.
• Files and collaboration tools: shared drives, ticket notes, chat logs.
• Vendors: payment gateways, cloud storage, analytics, delivery partners.
• Backups: understand what’s realistically accessible vs. “cold” archives.

A lightweight data map (even a spreadsheet) makes this step much faster.

3) Assess Grounds For Erasure Or Refusal

Check if a ground to erase applies and whether any exemption overrides it. Document your decision. If you’re keeping some data (for example, invoices needed for tax), note the lawful basis and your retention period. If you’re moving marketing data to suppression, record that status so you don’t accidentally reactivate the contact later.

Where you think an exemption applies, sanity‑check it against your obligations and proportionality. The ICO expects reasoned decisions. You can also review relevant exemptions used with data requests to ensure your approach is consistent.

4) Action The Deletion Across Systems And Vendors

Delete or anonymise the data in your own systems. Then notify processors and relevant recipients to erase linked copies where feasible. Your contracts should require processors to cooperate and act quickly – if they don’t, that’s a sign your vendor terms may need tightening.

5) Confirm Outcomes And Close The Loop

Write back to the individual confirming what was deleted (and where), any data you must retain (and why), and any suppression steps you’ve taken. Include the date of completion and details of their right to complain to the ICO if they’re unhappy.

6) Update Your Records

Record the request, your decision, actions taken, and the legal rationale. This audit trail shows accountability if you’re ever challenged and helps you improve your process next time.

Build The Right Policies, Processes And Contracts

Handling erasure requests smoothly isn’t just about reacting well. It’s about setting up simple, scalable governance that fits a small business.

Have Clear, Plain-English Privacy Information

Your website or app should set out how people can ask you to delete their data, what you’ll do, and any situations where you may keep data (e.g., legal obligations). A tailored Privacy Policy makes this easy for customers and reduces back‑and‑forth.

Define Retention Schedules

Don’t keep personal data “just in case.” Define what you keep and for how long, based on purpose and legal obligations (e.g., tax records). This makes erasure requests simpler because you already know what can be deleted and what must be retained. For practical guidance, see our overview on GDPR data retention periods.

Set Up Contracts With Your Vendors

If you use software or service providers to process personal data on your behalf, you must have appropriate controller–processor terms that require cooperation with erasure requests, timely deletion on termination, and robust security. A compliant Data Processing Agreement (DPA) should be standard for any critical vendor who handles your customer data.

Create A Simple Internal Procedure

Write a short SOP that your team can follow. Include:

• Who owns requests (usually an Ops or Compliance owner).
• How to verify identity and log the request.
• Where to look for data (with a system checklist).
• How to assess exemptions and when to escalate for advice.
• Templates for acknowledgements, confirmations, and refusal letters.

If an incident occurs alongside a request – for example, a deletion mistake or suspected unauthorised access – have a Data Breach Response Plan ready so you can act quickly and meet any reporting obligations.

Practical Issues SMEs Should Watch Out For

Life is messy. Here are the tricky scenarios we see most often, plus our tips on navigating them.

“Delete Me” vs Marketing Opt‑Out

Sometimes a customer simply wants you to stop marketing to them. In that case, you don’t need to erase their entire account if you still need records for things like past purchases. Suppress their profile from marketing lists and keep the minimal data you need for tax, warranty or chargeback purposes. Document your reasoning and explain it clearly in your response.

Backups And Technical Limitations

The law recognises that some backups aren’t practically editable. Your aim is to delete from live systems and ensure that, if backups are restored, erased data isn’t reintroduced into active use. State this in your policy and keep backup cycles reasonable so legacy data ages out.

Search Results And Public Content

Individuals sometimes want links removed from search engines. That’s primarily a request to the search engine (acting as a controller) to de‑list results. Your role is to remove personal data from your own pages (if a deletion ground applies) and, where appropriate, to stop making it public. If content was posted lawfully and an exemption applies (e.g., exercising freedom of expression), consider whether partial redaction or suppression is more appropriate.

Employees And Former Staff

Staff and contractors can make erasure requests too, but many employment records must be retained to comply with legal obligations or to defend legal claims. Apply the same analysis: erase what you no longer need; keep what you’re legally required to retain, with clear retention periods.

Identity Verification Without Over‑Collecting

You must take “reasonable” steps to verify identity, but don’t collect more data than you need. Often, confirmation via the registered email, a recent order number, or an account control token is enough. If you genuinely need more, explain why and delete the verification data once complete.

Timing And Extensions

You generally have one month to respond. For complex or multiple requests, you can extend by up to two months, but you should tell the individual within the first month and explain why. Build these checkpoints into your SOP so nothing slips.

Keep A Clean Paper Trail

Even if your business is small, keep records. An audit trail helps if the ICO asks questions or a customer challenges your decision. Keep it simple: date received, systems searched, decision with lawful basis/exemption, date completed, and notification sent.

Align Erasure With Your Wider Privacy Program

Right to erasure is just one part of privacy compliance. Align it with consent management, transparency, data minimisation, and responses to other requests (like access and portability). Doing this once, properly, saves a lot of future hassle.

Key Takeaways

• The “right to be forgotten” is real, but not absolute. You must erase data when a ground applies, but you can refuse if a legal exemption genuinely overrides (for example, legal obligations or defence of claims).
• Act fast and document decisions. Acknowledge requests, verify identity reasonably, search systems and vendors, and reply within the one‑month window with a clear outcome and rationale.
• Build simple, scalable processes. Use a central inbox, a short SOP, and a lightweight data map so your team can handle requests without stress.
• Put the right paperwork in place. Publish a clear Privacy Policy, set retention rules that you actually follow, and ensure your vendors sign a compliant Data Processing Agreement.
• Be pragmatic about suppression, backups and public content. Suppress where full deletion isn’t appropriate, avoid re‑introducing deleted data from backups, and remove personal data from your pages where required.
• Treat erasure as part of a joined‑up privacy program. Tie it together with response timelines, retention, relevant exemptions, and incident readiness via a Data Breach Response Plan.

If you’d like help setting up a deletion workflow, drafting a tailored Privacy Policy or reviewing vendor terms, our team can help. Reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.