Personal data deletion rights aren’t just paperwork — they’re like removing permanent marker from a whiteboard: simple to describe but tricky to do correctly. Data protection laws now give people more rights to control their personal information. One crucial right they provide is often the ‘right to be forgotten’ or ‘personal data deletion rights’. This allows individuals to ask organisations to delete their personal information, especially if it’s no longer needed, consent has been withdrawn, or the data was collected unfairly.

In this article, you’ll learn what personal data deletion rights are, when they apply, practical steps to comply, common technical challenges, and when organisations don’t need to erase data. We’ll also briefly explain a related right — the right to restrict data processing.

Understanding personal data deletion rights

The right to erasure means individuals can ask organisations to remove their personal data. This right applies if:

  • The data is no longer needed for its original purpose.
  • A person withdraws their consent, and no other reason exists to keep the data.
  • The individual objects to the data processing, and there’s no strong reason to continue processing it.
  • The organisation collected or used the data unlawfully.
  • Deleting the data is legally necessary.
  • The data relates to children, particularly from online services.

Children’s data often has special protection. Organisations must pay extra attention to erasure requests for data collected when a person was still a child (even if they are now adults), because consent given as a child might no longer be valid.

When organisations must erase data, and when they need not

Organisations must check each deletion request carefully against legal conditions when giving effect to personal data deletion rights. However, there are several exceptions when they don’t have to erase data, including:

  • Protecting freedom of expression and information.
  • Following legal obligations or court orders.
  • Public health and safety reasons.
  • Archiving, historical research, or statistical purposes where deletion harms the purpose.
  • Defending or pursuing legal claims.

Organisations must keep clear records of their decisions and why they keep or delete data.

Practical and technical challenges for personal data deletion rights

Dealing with deletion requests involves clear operational steps:

  • Identifying and logging every request, whether spoken or written.
  • Confirming the identity of the requester fairly and reasonably.
  • Responding clearly and quickly, typically within one month.
  • Informing people if their request is denied, clearly explaining the reasons, and their right to challenge the decision.

Technical issues can complicate compliance. Organisations often store data in backup systems, making immediate deletion challenging. In these cases, organisations should ensure the data is ‘beyond use’ — secure, inaccessible, and eventually deleted according to a schedule.

If personal data is shared publicly, the organisation must reasonably try to inform others to remove the data or related links.

Right to restrict processing: an alternative option

Sometimes, deleting data in terms of personal data deletion rights isn’t the best or only choice. Individuals can also ask organisations to limit how their personal data is used, particularly when:

  • They question the accuracy of the data and this is subject to verification.
  • Processing is unlawful, but they prefer to stop its use rather than delete it.
  • The organisation no longer needs the data, but it’s essential for a legal claim.
  • The individual objects to how the data is processed and awaits the outcome of that objection.

When processing is restricted, organisations should stop using the data temporarily, keep it separate, or label it as restricted. They must inform third parties of these restrictions as well.

Actions you can take next

Successfully managing personal data deletion rights means balancing practical challenges with legal requirements. Organisations must carefully consider each request, manage technical limitations realistically, and document every decision thoroughly. Understanding related rights, such as restricting data use, also helps create a robust approach to data privacy compliance. You can:

  • Strive towards compliance by regularly reviewing your procedures for handling personal data deletion requests. We can help you with personal data deletion rights by getting your policies and procedures right.
  • Stay informed by consulting relevant local and international guidelines, such as the ICO Accountability Framework.
  • Build expertise by training your staff regularly to understand and handle personal data deletion requests clearly and efficiently. Contact us for help with this and other kinds of data protection training.