Understanding GDPR and the Right to Be Forgotten: A Guide for UK Businesses

If your business collects, stores, or handles any kind of personal data - whether it’s customer email addresses, employee records, or web analytics - the legal landscape can feel overwhelming. Understanding the GDPR and the right to be forgotten is crucial for UK businesses of every size, especially as data rights are now in the spotlight more than ever.

Don’t stress - with the right research and some practical legal steps, you can make sure your business is compliant and your customers’ trust is protected. In this friendly guide, we’ll break down what GDPR means for you, how the right to be forgotten actually works, and the best action steps to get your business set up from day one. Ready? Let’s demystify your data duties and make compliance a positive step for your business success.

What Is GDPR and Why Does It Matter for UK Businesses?

Let’s start with the basics. The General Data Protection Regulation (GDPR) is a comprehensive privacy law designed to protect people’s personal data across the UK and Europe. In the UK, it’s enforced alongside the Data Protection Act 2018 (sometimes referred to as “UK GDPR” since Brexit).

If your business processes the personal data of UK residents - that is, any information that can identify an individual, such as names, contact details, payment info, IP addresses, and more - you’re required to comply with GDPR.

• Who does it apply to? Nearly all businesses, regardless of size, if you handle personal data - this includes sole traders, partnerships, limited companies and even charities.
• What’s the risk? Failing to follow GDPR can lead to complaints, regulatory investigations, reputational damage and significant fines from the Information Commissioner’s Office (ICO).
• What are your obligations? You must protect personal data, be transparent about how you use it, gain valid consent where required, and respond to people’s rights over their data.

Getting your GDPR compliance strategy right from your first day in business isn’t just a legal hurdle - it’s a foundation for earning your customers’ trust and protecting your growth.

If you need a deeper look at core GDPR requirements and how they affect different types of UK SMEs, check out our GDPR essentials explained guide.

What Is the Right to Be Forgotten?

One of the headline rights under GDPR is the so-called right to be forgotten. Formally known as the right to erasure, this allows individuals to request that an organisation delete their personal data in certain circumstances.

What does this mean in practice for your business? Let’s imagine a customer emails you and says, “Please delete all my data from your records.” As a business owner, you’ll need to:

• Understand when you are required to erase data
• Know when you can lawfully refuse the request
• Have efficient systems for deleting data across your business operations
• Communicate with the individual about the outcome - quickly and clearly

The right to be forgotten isn’t absolute. It only applies in specific scenarios (we’ll cover those in a moment), and there are exceptions. But it’s important to treat every request seriously and have a clear, documented process in place.

For more on the rules around erasure and practical steps for responding, see our dedicated guide: GDPR right to erasure and deletion requests.

When Does the Right to Be Forgotten Apply?

You’ll need to erase (delete) someone’s personal data if one (or more) of the following applies:

• The data is no longer needed for the original purpose you collected it for
• The person withdraws their consent, and there’s no other legal ground for keeping or using the data
• The person objects to the processing and you don’t have overriding legitimate interests
• You are legally required to delete the data (for compliance with a legal obligation)
• The data was collected unlawfully

It’s not just about ticking a box. Your team must be ready to review the request, make a clear decision, document it, and act quickly. In most cases, you must respond without undue delay - and always within one month.

Are There Situations Where You Can Refuse?

Yes, there are several scenarios where the right to be forgotten does not apply, and you may lawfully refuse:

• You must keep the data to comply with a legal obligation (e.g., for tax or employment law reasons)
• The data is required to exercise or defend legal claims
• You have overriding legitimate interests that outweigh the interests of the individual
• It’s needed for certain public health, scientific, or statistical purposes

If you’re going to refuse a request, you must explain why, let the person know about their right to complain to the ICO, and keep a record of your justification.

How Should UK Businesses Respond to a Right to Be Forgotten Request?

Okay, so a request lands in your inbox. What now? Here’s a straightforward process your business can follow to make sure you stay compliant and build trust with your customers:

• Log the request: As soon as it arrives, make a secure note and assign it to the right person or team member.
• Verify the requester’s identity: Make sure the person is who they say they are - this protects everyone’s privacy.
• Find and assess the data: Identify all personal data you hold on them across your systems, emails, cloud drives, paper files, and third-party services.
• Check if the right applies: Go through the list of valid reasons (as above). If you need to keep the data by law, document this clearly.
• Erase the data (if required): Delete securely from all records, including backups where feasible. Tell any service providers or third parties you’ve shared the data with to do the same.
• Respond in writing: Confirm to the individual what you’ve done and explain any exceptions or delays.
• Record your decision: Keep evidence of every step - it’s vital in case the ICO or courts review your handling later.

It can be a lot to keep track of, so many businesses use internal checklists or even specialist tools to handle these steps efficiently. If you’re not sure which process best suits your operations, it’s wise to get advice from a data protection specialist or GDPR consultant.

What Systems and Documents Should You Have in Place?

Being prepared is the best defence! Here are the key policies, procedures, and contracts every UK business should consider having to make the right to be forgotten easy to handle:

• Clear Privacy Policy: Let individuals know up front about their data rights (including deletion) and how to exercise them. This isn’t just best practice - it’s a legal requirement. For details, check out our Privacy Policy essentials guide.
• Internal Data Retention Policy: Spell out how long you keep data, when you delete it, and who is responsible. This helps satisfy both GDPR and ICO expectations.
• Data Processing Agreements: If you use outside suppliers (like cloud platforms or payroll services), you need strong contracts saying they’ll delete data on request and cooperate with GDPR compliance. Learn more about these in our guide to Data Processing Agreements.
• Data Breach Response Plan: If something goes wrong (e.g. accidental deletion, hack, or loss), you must act fast. Have a plan in place and know when to tell the ICO and affected people. Read our article on creating a data breach response plan for actionable steps.
• Employee Training: Make sure your team knows what to do if a deletion request arrives, and who’s responsible for each step.

Remember - off-the-shelf templates won’t always cover your specific risks, systems, or industry. Getting a privacy law expert to help draft or review your policies is the best way to stay protected as your business grows.

Key Challenges for Small Businesses (and How To Overcome Them)

If you’re running a startup or SME, you might be thinking: this all sounds like a lot for a small team! And you’re right - GDPR compliance and the right to be forgotten can bring extra pressure. Here’s how you can make it manageable:

• Map your data: Know what personal data you collect, where you store it, and who has access. Start simple - even a spreadsheet can help.
• Automate where possible: Use digital tools to collate, find, and delete data. Many email, CRM, and cloud platforms have erasure features built in.
• Prioritise transparency: Be upfront in your privacy policy and customer communication. People are less likely to raise complaints if they feel respected.
• Review contracts with suppliers: Make sure your service providers support data deletion requests. If they don’t, consider switching or updating your agreements.
• Seek professional support: Don’t hesitate to get expert help, especially as you scale or if your business deals with sensitive or high-risk information.

It can be overwhelming to know exactly which GDPR steps are relevant to your business. So chatting to a legal expert about the risks your business might face is always a smart move. Setting up your legal foundations early can save you headaches later!

What Are the Consequences of Ignoring the GDPR and Right to Be Forgotten?

If you neglect your data duties, the risks aren’t just theoretical - they’re real and can be costly, such as:

• Customers losing trust and going elsewhere
• ICO investigations, warnings, or enforcement action
• Hefty fines - the ICO can impose penalties up to £17.5 million or 4% of worldwide turnover (whichever is greater) for serious breaches
• Disputes and negative publicity that damage your brand

Not every mistake means a fine, but being able to show you’ve taken responsible steps (documented processes, staff training, clear records) is your best defence if the regulator ever comes knocking.

How Does the Right to Be Forgotten Relate to Other GDPR Rights?

The right to be forgotten is just one of several data rights under GDPR. Others your business needs to support include:

• The right to access: People can ask to see what data you hold about them (called a “subject access request”).
• The right to rectify: They can get inaccurate data corrected.
• The right to restrict processing: In some cases, individuals can ask you to “pause” using their data.
• The right to data portability: People can ask for their data in a commonly used, machine-readable format.

For a practical overview on managing subject access requests and your duties, see our step-by-step guidance on handling SARs in the UK.

Supporting all these rights should be part of your overall data protection compliance strategy - and a core part of your business foundation.

Practical Example: Handling a Right to Be Forgotten Request

Let’s say you run a small e-commerce business. An ex-customer asks you to delete all their data. Here’s how you might handle it:

1. Verify their identity (ask for confirmation or proof before proceeding).
2. Search your records - order history, marketing lists, customer database, backups.
3. Check your legal obligations - do you still need their data for warranty, tax, fraud prevention, or any other reason?
4. If not, delete their details from all digital and paper systems - and notify any service providers you use for fulfilment or payments.
5. Send the customer a clear confirmation explaining what was deleted, and any limited data you are obliged to keep (plus why).
6. Document your handling of the request in your internal GDPR compliance records.

If you’re ever unsure, remember: a quick conversation with a legal expert can prevent an accidental breach.

Key Takeaways

• UK businesses must comply with the GDPR and right to be forgotten if they process any personal data - regardless of size or sector.
• The right to be forgotten lets individuals request deletion of their personal data, but there are exceptions and you must assess each request carefully.
• Have strong policies in place (like a privacy policy and data retention procedure) to make handling deletion requests efficient and compliant.
• Always verify ID, document your judgement process, and respond promptly to requests - usually within one month.
• Get professional advice if you’re unsure which rules apply to your business or how to build a GDPR compliance program from day one.

---

If you’d like friendly, practical support in making your business GDPR-compliant or need help handling right to be forgotten requests, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. We’re here to make sure your legal foundations are strong-so you can focus confidently on growing your business!