Understanding Erasure Requests Under UK GDPR

The right to erasure, commonly known as the ‘right to be forgotten,’ is a widely misunderstood aspect of UK data protection law.

Individuals often believe they can require you to delete all personal data you hold about them. However, the right is not absolute and often must be balanced against a complex framework of exemptions and competing interests.

In this blog, we explore when the right to be forgotten applies, some key exemptions, and best practices for responding to erasure requests under the UK GDPR.

When does the right to erasure apply?

Under Article 17 of the UK GDPR, an individual (the ‘data subject’) can request you erase personal data about them, but only if one of the following circumstances applies:

1. No longer necessary – You no longer need the personal data to achieve your lawful purposes.
2. Withdrawal of consent – Processing was based on consent, the data subject withdraws their consent, and there is no other legal basis for processing.
3. Objection to processing – Processing was based on legitimate interests, the data subject objects to the processing, and there are no ‘overriding legitimate grounds’ to continue.
4. Processing was unlawful
5. Legal obligation to erase – The organisation is legally required to erase the data.
6. Children’s data – The data was collected in relation to an online service offered directly to a child.

Even if the right to erasure is triggered, you might be able to (or even be required to) apply an exemption and refuse to delete some or all of the data.

Common exemptions

Article (17) lists the best-known exemptions from the erasure requirement. Schedule 2 of the Data Protection Act 2018 then adds a series of further, often sector-specific exemptions.

1. Compliance with legal obligations

You must refuse to delete personal data if another law requires you retain it. This often applies to:

• Financial records because of income tax laws or PAYE regulations.
• Employee records under employment or health and safety law.

2. Defending or pursuing legal claims

Under Article 17(3)(e), you can retain personal data if necessary to establish, exercise, or defend legal claims. You can rely on this to keep evidence you might reasonably need to pursue or defend:

• potential tribunal claims by an employee.
• potential contract disputes or negligence claims by customers or suppliers.

You can rely on this exemption even before a legal claim is filed or threatened. It just needs to be possible (i.e. the applicable limitation period hasn’t expired, and there’s no positive prescription at Scots law preventing the claim).

3. Freedom of expression and public interest

Personal data may be retained if it is required for journalistic, academic, artistic, or literary purposes in the public interest.

4. Archiving and research

Data retained for scientific, historical, or statistical research purposes may also be exempt if the processing is proportionate, and you provide safeguards to protect individual rights.

Handling erasure requests: best practices

1. Verify identity

You need to take reasonable and proportionate steps to ensure the requester is who they say they are. Otherwise, you could be erasing data without proper instructions, which would be a personal data breach under the UK GDPR. .

2. Identify the data that’s in scope

This first step looks the same as responding to a DSAR: find all the personal data relating to the requester. This involves searching all relevant assets that could contain the data, such as:

• Customer databases
• Employee records
• Marketing lists
• CRM systems
• Determine whether the right to erasure applies (UK GDPR art 17(1))
• Apply any exemptions (UK GDPR art 17(3), and DPA 2018 Sch 2)
• Document the decision-making process

Whether granting or denying a request, maintaining clear records of the decision-making process is essential for replying to any subsequent complaints or ICO enquiries.

3. Notify third parties

If you’ve shared personal data with third-party controllers, or made it public, you must take reasonable steps to inform the other controllers of the erasure request.

4. Respond within legal timeframes

The deadline to respond to an erasure request is one month. This can be extended by up to two further months for complex requests, but the data subject must be informed.

Common pitfalls to avoid

• Assuming all requests must be fulfilled – Erasure requests are not absolute. Assess each one individually.
• Failing to document decisions – Clear records are essential for defending complaints.
• Straining to call the request “manifestly unfounded” or “excessive” – this is a very high bar to clear, and it will apply in relatively extreme cases only.

How we can help

Complying with erasure requests can be difficult, time-consuming work.

Contact our specialist team and we’ll help you review documents efficiently and at scale, apply the right exemptions, and decide with confidence what you should delete and what you should keep.