UK GDPR Data Erasure Requests: What Businesses Must Do

If you run a small business, you’re probably collecting more personal data than you realise - customer enquiries, online orders, email marketing lists, staff records, CCTV, device logs, and more.

At some point, someone may ask you to delete their data. This is known as a data erasure request, and it can feel stressful if you haven’t handled one before.

The good news is that most businesses can manage data erasure requests confidently once you understand the rules, the timeframes, and the common “grey areas” (like backups, accounting records, and marketing lists).

Below, we’ll break down what you need to do under the UK GDPR and the Data Protection Act 2018, in plain English, from a small business perspective.

What Is A Data Erasure Request (And When Does It Apply)?

A data erasure request is when an individual asks you to delete personal data you hold about them. In GDPR language, it’s often called the “right to erasure” or the “right to be forgotten”.

For businesses, the key point is this: you don’t always have to delete everything just because someone asked - but you do always have to respond lawfully, within the required timeframe, and you need to be able to justify your decision.

Examples Of Personal Data You Might Need To Erase

Depending on your business, a data erasure request could relate to:

• Customer accounts (name, email address, order history)
• Enquiry forms and CRM records
• Email marketing lists
• Support tickets and chat logs
• CCTV footage (where people are identifiable)
• Employee or contractor records (depending on context)
• Online identifiers (IP addresses, cookie IDs) where they identify someone

When Is The Right To Erasure Most Likely To Apply?

Broadly, the right to erasure applies when keeping the data is no longer justified. Common situations include:

• You no longer need the data for the purpose you collected it for (for example, you collected data to provide a quote, the quote is done, and there’s no ongoing relationship).
• The person withdraws consent (for example, they previously opted into marketing and now want all marketing data removed).
• The person successfully objects to processing (often relevant to direct marketing).
• The data was processed unlawfully (for example, you collected more data than necessary, or didn’t have a proper lawful basis).
• You have a legal requirement to erase the data.

In practice, a lot of data erasure requests from customers are really about marketing or old accounts. The legal analysis is usually manageable - but it still needs to be done properly.

Do You Always Have To Comply With A Data Erasure Request?

No - not always. But you do need to treat every data erasure request seriously and respond in line with the law.

Under UK GDPR, you can refuse to erase data (or only erase some of it) if you have a valid reason to keep it. The most common “business-friendly” reasons include:

1) You Need The Data To Comply With A Legal Obligation

If you must keep certain records because of another legal requirement, you generally don’t have to delete them just because someone asks. Common examples include:

• Accounting and tax-related records you’re required to retain for statutory purposes (this is general information, not tax advice)
• Records needed for regulatory compliance (depending on your industry)
• Right to work checks or payroll records (in an employment context)

That said, you should still consider limiting access to what you must keep and deleting anything you don’t need.

2) You Need The Data To Perform Or Defend Legal Claims

If you reasonably need the data to establish, exercise, or defend legal claims, you may be able to keep it - for example, if there is an unresolved dispute, unpaid invoice, or complaint history that may be relevant.

This isn’t a “keep everything forever” excuse. You should document why you’re keeping it and set a review date.

3) The Data Is Still Needed To Provide An Ongoing Service

Sometimes, the right to erasure won’t apply (or will apply only in part) because you still need certain information for the original purpose - for example, to complete an open order, provide warranty support, or run an ongoing subscription. In those cases, you should erase what you don’t need, and keep only what’s necessary for as long as it’s necessary.

4) The Request Is Manifestly Unfounded Or Excessive

This is a high bar, but if someone is clearly abusing the process (for example, repeated requests with no real purpose), you may be able to refuse or charge a reasonable fee.

If you rely on this, you should be cautious and get advice - refusing incorrectly can create more risk than complying.

As a practical step, your written documents should support your compliance position. For example, your Privacy Policy should clearly explain what you collect, why you collect it, how long you keep it, and how people can exercise their rights.

What Counts As “Erasure” For Businesses (It’s Not Always As Simple As Hitting Delete)

When you receive a data erasure request, “delete everything” might sound straightforward - but businesses often have data spread across systems.

Erasure usually means you need to take reasonable steps to remove the person’s personal data from your operational systems and stop using it for the relevant purpose.

Erasure Can Include

• Deleting the data from your CRM, email platform, and support tools
• Anonymising the data (so it no longer identifies the person)
• Suppressing data (for example, keeping an email on a “do not contact” list so you don’t accidentally market to them again)
• Restricting access (where you must keep data for legal reasons, but you ring-fence it)

Watch Out For Backups And Archived Data

Backups are one of the most common pain points with a data erasure request.

You’re generally expected to take reasonable steps - but GDPR recognises that deleting data from immutable backups immediately may not always be practical. Many businesses manage this by:

• Ensuring backup data isn’t used for day-to-day processing
• Letting backups rotate out under a defined retention schedule
• Documenting that the data is “beyond use” (restricted and not restored except for disaster recovery)

This is where having a clear approach to data retention periods really helps - it makes your erasure process easier and more defensible.

Third Parties: If You Shared The Data, You May Need To Tell Others

If you’ve shared personal data with third parties (for example, a mailing list provider, fulfilment partner, booking platform, or IT provider), you may need to take reasonable steps to notify them of the erasure request too.

In practice, you should know:

• Which suppliers process personal data on your behalf
• Whether they are acting as “processors” or “controllers”
• How to action deletions and confirm completion

This is one reason why getting your privacy compliance foundations right from day one is worth it - it reduces scrambling later.

How To Handle A Data Erasure Request: A Step-By-Step Process For Small Businesses

If you want a practical workflow your team can follow, this is a good baseline. The aim is to be consistent, quick, and well-documented.

Step 1: Recognise The Request (And Log It Immediately)

A data erasure request doesn’t need special wording. Someone can say:

• “Please delete my data.”
• “I want you to remove all information you have about me.”
• “Close my account and erase my details.”

Train staff to spot these messages and forward them to whoever handles privacy. Then log:

• The date received
• Who received it
• The requester’s contact details
• What the person asked for
• Your response deadline

Step 2: Verify Identity (But Don’t Over-Collect)

You should make sure the requester is the right person - especially if you hold sensitive or account-level information.

However, you should only ask for what’s reasonably needed. For example:

• If the request comes from the same email used for the account, you may not need further checks.
• If it comes from a different email or a third party, you might ask for confirmation details.

It can help to have an internal process and form for rights requests so you collect consistent information without turning it into an interrogation.

Step 3: Work Out Your Lawful Basis And Whether An Exemption Applies

This is the legal “decision point”. Ask:

• Why do we have this data?
• Do we still need it for that purpose?
• Are we relying on consent, contract, legitimate interests, or a legal obligation?
• Is there a reason we must keep some of it (statutory retention, disputes, regulatory requirements)?

Often, the outcome is “partial erasure” - for example, delete marketing data and old CRM notes, but retain invoice records for statutory retention.

Step 4: Action The Deletion Across All Systems

Create (and keep updated) a list of where personal data lives in your business, such as:

• Email inboxes
• CRM systems
• E-commerce platform
• Accounting software
• Email marketing tool
• Cloud storage (documents, spreadsheets)
• Team chat tools

Then:

• Delete or anonymise where appropriate
• Remove from marketing lists (and add to suppression lists if needed)
• Notify processors/suppliers where necessary
• Record what you did and when you did it

Step 5: Respond Within The Deadline (Usually One Month)

In most cases, you must respond to a data erasure request within one month.

You can sometimes extend by up to two further months if the request is complex - but you should tell the person within the first month and explain why.

If you’re also handling a subject access request at the same time, keep a close eye on timing, because the clock can move quickly. (This is where understanding SAR deadlines can be helpful for building your internal playbook.)

Step 6: Keep A Compliance Record (Yes, Even After You “Erase”)

It sounds counterintuitive, but you should keep a record of:

• The request
• Your identity checks
• Your decision and lawful basis
• What you erased (and what you kept, and why)
• The date you responded

This record is about accountability - it helps you prove you complied if a complaint is later made to the ICO.

Common Data Erasure Request Pitfalls (And How To Avoid Them)

Most problems happen when businesses treat a data erasure request like a quick customer service task, rather than a legal compliance process.

Mixing Up “Unsubscribe” With “Erase My Data”

Sometimes people just want marketing to stop. Sometimes they want full erasure. Sometimes they want both.

If someone unsubscribes, you’ll usually need to stop marketing - but you may still keep minimal data on a suppression list to ensure you don’t accidentally re-add them later.

If they make an explicit data erasure request, assess the broader scope - but remember you can still retain what you must keep for legal obligations.

Deleting Data You Actually Need To Keep

Small businesses can accidentally delete records needed for tax, warranties, chargebacks, or legal claims.

A safer approach is often:

• Erase non-essential profile/marketing data
• Retain invoices and core transaction records for required periods
• Restrict access to retained data

If you’re not sure where the line is for your industry, it’s worth getting tailored advice, because “delete everything” can create operational and legal headaches later.

Forgetting Staff Mailboxes And Shared Drives

Even if you delete someone from your CRM, their information may still exist in:

• Old email threads
• Downloaded spreadsheets
• Attachments saved to shared folders
• Helpdesk exports

You don’t need to become perfect overnight - but you do need a reasonable process, and you should show you’ve looked in the obvious places and improved controls to prevent uncontrolled duplication going forward.

Not Having A Plan If Things Go Wrong

Sometimes a rights request overlaps with a broader issue - for example, someone complains you shared their data incorrectly, or you discover you’ve sent an email to the wrong recipient while searching records.

That’s why it’s smart to have a documented Data Breach Response Plan in place, so your team knows what to do quickly (and who is responsible) if an issue escalates.

Key Takeaways

• A data erasure request is a legal request under UK GDPR to delete personal data, and you need a consistent process to handle it quickly and correctly.
• You don’t always have to delete everything - you may be able to keep data where you need it for legal obligations, ongoing contracts, or legal claims.
• “Erasure” can involve deletion, anonymisation, suppression, or restricted storage, especially where backups or statutory records are involved.
• A practical workflow includes: log the request, verify identity, assess lawful basis/exemptions, erase across systems, respond within one month, and keep a compliance record.
• Common pitfalls include treating erasure like a simple unsubscribe, deleting records you need for tax or disputes, and forgetting data stored in emails and shared drives.
• Clear privacy documents and internal policies make handling data erasure requests much easier as your business grows.

If you’d like help putting the right GDPR foundations in place (or handling a tricky data erasure request), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.