UK GDPR: How To Handle Requests To Delete Personal Data

If your business collects personal data, you’ll eventually receive a “request to delete personal data” from a customer, website user or even a former employee. These requests (also called “right to erasure” requests) are a normal part of life under UK GDPR - and handling them well is key to building trust and staying compliant.

The good news? With a clear process, the right documentation and a bit of training, you can respond confidently without disrupting your operations.

In this guide, we’ll explain what the right to erasure is, when you can refuse or limit deletion, and how to manage requests step-by-step - all from a small business perspective.

What Is A Request To Delete Personal Data?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals have the right to ask you to delete their personal data. This is known as the “right to erasure” (Article 17 UK GDPR).

Personal data is any information that can identify a person - a name, email, IP address, order history, support ticket notes, CCTV footage, and more. If your business tracks users on your website, runs a mailing list, keeps customer files, or holds staff records, you’re a data controller for those data sets and you’ll need a deletion request process.

Typically, you must respond within one month. In some complex cases you can extend by a further two months, but you need to tell the person within the first month that you’re extending and explain why.

Deletion isn’t always absolute. Depending on your legal basis for processing and other obligations (like tax laws), you may be able to refuse in full or in part, or switch to “restriction” (keeping data locked down but not using it). Knowing where deletion applies - and where it doesn’t - is the key to getting this right.

If you’d like a refresher on wider privacy duties before diving in, it’s worth skimming a short overview of GDPR data deletion and how deletion fits into your overall compliance.

When Can You Refuse Or Limit Deletion?

The right to erasure isn’t a “delete everything I ever gave you” switch. UK GDPR gives businesses several lawful reasons to keep personal data, even when someone asks you to remove it. Common scenarios where you can refuse or limit deletion include:

• You need the data to comply with a legal obligation (for example, keeping transaction records for HMRC or keeping certain employment records for statutory periods).
• You need the data to establish, exercise or defend legal claims (for instance, retaining complaint correspondence while a dispute is active).
• You still need the data for the purpose you collected it and your lawful basis is “legal obligation” or “public interest” (erasure generally doesn’t apply here).
• The request targets data that you must keep for accounting, tax or recordkeeping rules, or where an industry regulation requires retention.
• The request is manifestly unfounded or excessive (for example, it’s clearly intended to harass or it repeats previous requests without a reasonable interval).

Equally, there are circumstances where you must delete data promptly. You’ll typically need to erase if:

• You no longer need the data for the original purpose and there’s no new compatible purpose.
• Your processing relied on consent and consent has been withdrawn (and you have no other lawful basis).
• The individual successfully objects to processing based on legitimate interests and your interests don’t override theirs.
• You processed data unlawfully.
• You must erase to comply with a legal obligation under UK law.

You can also choose to “restrict” instead of delete in limited cases - for example, while you verify identity, assess a dispute, or confirm retention obligations. Restriction means you keep the data but put it beyond routine use.

If you’re unsure whether an exemption applies, it’s wise to look at common SAR exemptions and get advice. The standard for refusing is high, and you’ll need to explain your reasoning and the individual’s right to complain to the ICO in your response.

How To Handle A Deletion Request Step-By-Step

A clear, documented flow will save time and reduce risk. Here’s a practical process you can adapt for your business.

1) Confirm It’s A Valid Request And Verify Identity

• Capture the request in a central inbox or ticketing system so it isn’t missed. Treat any channel (email, web form, social media message) as a potential entry point.
• Log the request date. Your one-month clock starts when you receive the request.
• Verify identity proportionately. Ask for what you need to be sure you’re deleting the right person’s data - for example, confirming the email address via a link or asking for order details. Don’t collect excessive new data.

2) Clarify Scope

• Deletion requests can be broad (“delete all my data”) or limited (“remove me from your marketing list”). If it’s unclear, politely ask the person to specify the systems or data types they’re referring to.
• Explain limits. It helps to outline that you’ll delete what you can but may retain data you need for legal or contractual reasons (e.g., invoices for tax).

3) Identify Where The Data Lives

• Check all relevant systems: CRM, email marketing platform, helpdesk, e‑commerce platform, analytics tools, payment processor, HR files, shared drives and backups.
• Don’t forget data you’ve shared with third parties. If you used a processor (e.g., a marketing platform) you must instruct them to delete data too, under your Data Processing Agreement.

4) Assess Your Legal Basis And Retention

• For each data set, note the lawful basis (consent, contract, legitimate interests, etc.) and check whether an exemption or retention rule applies.
• If retention applies, consider “suppression” instead of deletion - for example, keep a minimal record on a do‑not‑contact list to ensure you don’t email the person again.
• Apply your retention schedule consistently. If you haven’t set one, now is a good time to formalise your data retention standards.

5) Action Deletion Or Restriction

• Delete data from live systems where required. Log what you removed, when and by whom.
• Check how your backup policy works. You generally don’t need to pull data out of backups immediately, provided backups are encrypted, access is limited and you won’t restore the data back into live systems except in a disaster recovery scenario. The data should then be erased on the next routine backup cycle.
• Update suppression lists where appropriate (e.g., marketing).

6) Notify Processors And Confirm Completion

• Instruct your processors to erase or restrict the data in line with your contract obligations. Good vendor management and a strong Data Processing Agreement make this much easier.
• Where you have shared data with other controllers, consider whether you must notify them (there’s no blanket rule - it depends on the original disclosure and your role).

7) Respond Within One Month

• Confirm what you did and explain any data you retained and why (for example, tax retention periods or ongoing legal claims).
• Tell the person about their rights to complain to the ICO and to seek a judicial remedy. If you need more time, explain the extension (up to two additional months) and your reasons before the first month expires.
• If you refuse fully or partially, provide a clear explanation laying out the applicable exemption.

Tip: Many businesses combine their erasure process with their approach to Subject Access Requests so the team knows exactly how to triage, verify identity and track deadlines for any privacy request.

What Data Must You Keep? Practical Retention Rules

Deletion requests often collide with your retention obligations. While you should minimise personal data and not keep it “just in case,” some records must be retained by law or for legitimate business reasons.

Common examples include:

• Accounting and tax records (typically retain for at least six years for HMRC).
• Company and contract records (e.g., signed agreements, key correspondence) for limitation periods and dispute management.
• Employment records, including payroll, working time and health and safety documents, for statutory periods.
• Health and safety incident records and insurance documentation.

When you retain data:

• Lock it down. Move to restricted access, encrypt where possible, and stop any non‑essential processing.
• Use suppression lists for marketing: keep the minimum information needed to ensure the person isn’t contacted again.
• Be transparent. Your response should explain what you’re keeping and the legal reason or business necessity.

As part of your compliance framework, consider formalising your schedules for document retention and disposal, and align them with your wider recordkeeping obligations. Clear schedules help your team act consistently and reduce the risk of over‑retention.

Deletion Requests From Employees, Customers And Marketing Contacts

Erasure requests vary by context. Here’s how they commonly play out in small businesses.

Customers (E‑commerce, Services, Bookings)

Customers might ask you to delete order histories, support tickets or account profiles. In many cases you can erase profile data while keeping invoices and transaction details that you need for tax or fraud prevention. Move retained data to restricted storage and stop using it for marketing or profiling.

Make sure your website requests flow into a managed process. That includes updating your Privacy Policy so it explains how customers can make a deletion request, how long you keep data, and any legal reasons you might retain limited information.

Employees, Applicants And Contractors

Staff and applicants often ask to remove recruitment files, CVs or old performance documents. You can typically delete extra copies and emails you no longer need, but you’ll retain core HR records for statutory retention periods and for legal claims. Be consistent: apply the same rules across all staff and document your rationale.

Marketing Contacts And Cookies

For marketing, the simplest path is to remove contacts from mailing lists and add them to a suppression list. This ensures you respect their wish not to be contacted while keeping the minimal data needed to prevent future outreach. Align this with your obligations under email marketing laws and ensure your unsubscribe mechanisms are clear.

If someone asks you to delete cookie‑derived data or analytics profiles, assess whether you can de‑identify data or remove unique identifiers. Also check that your cookie banners and consent tools are configured so users can withdraw consent easily - that reduces deletion requests at the source.

Policies, Contracts And Training That Make Deletion Easier

Erasure requests are far easier when you’ve laid the groundwork. A few key documents and routines will keep you compliant and reduce admin time.

Privacy Policy And Internal Procedures

• A clear, plain‑English Privacy Policy that explains how individuals can exercise their rights, your typical response time and when you might retain data.
• Internal playbooks for handling privacy requests, with templates for acknowledgement, clarification, completion and refusal letters.
• A central register of privacy requests so you can track one‑month deadlines and outcomes.

Contracts With Vendors

• Robust Data Processing Agreements with your SaaS and service providers. They should oblige processors to assist with deletion and to pass through deletion to their sub‑processors.
• Data mapping records that show where personal data lives across your tech stack, so you can instruct the right vendors quickly.

Risk Management And Training

• Staff training on spotting privacy requests (including those arriving via social media or customer service chats) and routing them to the right owner.
• Incident readiness with a tested Data Breach Response Plan. While separate to deletion, the same teams and systems are involved.
• Clear retention and disposal schedules that align with your operations and provide practical guidance for backups and archived email.

If you’re pulling your compliance pieces together, a coordinated set of policies and templates like a GDPR Package can save a lot of time and help you stay consistent across requests and systems.

Frequently Asked Questions (From A Small Business Lens)

Do We Have To Delete Data From Backups?

Usually you don’t need to surgically remove personal data from immutable backups. The ICO generally expects you to ensure backups are not used for routine processing, are encrypted, and that any restored data is re‑assessed for deletion. The data should be overwritten on your normal backup lifecycle.

Can We Charge A Fee?

Requests are normally free. You can charge a reasonable fee for manifestly unfounded or excessive requests, or for additional copies of information - but that threshold is high. Most small businesses won’t rely on fees and will focus on limiting scope.

What If We Need The Data For A Refund, Warranty Or Legal Claim?

You can retain relevant records if it’s necessary to comply with the law (e.g., the Consumer Rights Act 2015) or to establish, exercise or defend legal claims. Keep only what you need, restrict access, and stop using the data for marketing or profiling.

How Do We Prove We Deleted The Data?

Keep an internal log of what systems you checked, what you deleted or restricted, and when. You don’t need to send a forensic report to the individual, but you should confirm completion and the broad steps taken. Good logging demonstrates accountability.

What If The Request Is Actually A Subject Access Request?

People often mix up rights. A message might say “please delete my data and send me a copy.” Treat each part under its respective process: erasure and access. Align this with your existing approach to Subject Access Requests and timelines.

Practical Tips To Reduce Future Deletion Requests

• Collect less in the first place. If you don’t need it, don’t ask for it - minimisation dramatically reduces deletion workload.
• Make self‑service controls easy: account deletion buttons, unsubscribe links and clear cookie controls prevent manual requests landing in your inbox.
• Keep your data map current. Knowing where data lives saves hours when a request comes in.
• Standardise retention. Regularly purge unneeded data so deletion requests are smaller and simpler to action.
• Be clear and honest in your privacy notices about what you keep and why. Clarity reduces back‑and‑forth.

Key Takeaways

• A “request to delete personal data” engages the right to erasure under UK GDPR. You usually have one month to respond and should keep a clear audit trail of your steps.
• Deletion isn’t absolute. You can retain data you need for legal obligations, tax and accounting, or to establish, exercise or defend legal claims - but lock it down and don’t use it for other purposes.
• Follow a simple process: verify identity, clarify scope, find the data across systems and vendors, assess legal basis and retention, delete or restrict, notify processors, and respond clearly.
• Backups, suppression lists and targeted retention schedules are practical tools to balance compliance with operational realities.
• Put strong foundations in place: a clear Privacy Policy, robust Data Processing Agreements, sensible retention rules and staff training. Consider an integrated GDPR Package to keep everything consistent.
• Marketing and cookies have their own quirks: use suppression (not blanket deletion) to respect opt‑outs, and ensure your email marketing laws and cookie banners setup makes it easy to withdraw consent.

If you’d like tailored help refining your deletion workflow, updating your privacy documentation or handling a complex request, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.