Disclaimer: The information provided on this website on data erasure requests is for general educational purposes only and does not constitute legal advice. You should always consult your legal team for advice specific to your business and circumstances.
Under the GDPR, your prospects and customers have the right to reach out to your company and submit a data erasure request to delete their data from your databases. Here are the steps you and your team will need to consider to complete a GDPR-compliant data erasure request.
You may occasionally have a prospect, former customer, or another individual contact your company to request that you remove or delete their data from your databases and systems. It is important for your team to establish a process to comply with obligations to grant such user requests, as well as to understand the circumstances when these requests do or do not apply.
Under the GDPR or CCPA regulations, users can ask organizations to delete their data according to provisions often referred to as the “right to be forgotten.” This is not a blanket right and, in some situations, can or should be refused. For GDPR, you can read more about when this right does or does not apply at GDPR.eu. For CCPA, you can refer to this page on the CCPA from the American Bar Association.
Understanding Exemptions for Requests to Delete
You may find some requests are relatively simple to respond to and delete data. Let’s say a person who voluntarily signed up to get email updates from your company decides they don’t want any more emails. Rather than unsubscribing, they reply to your marketing team requesting that you delete their name, email, and other data from your systems. In this case, you may have just one or two sources for this data to be deleted (such as a CRM or email marketing tool, with only their name, email, and records related to sent emails).
Other requests may be more complicated or require more identity verification, such as requests to delete medical or financial information. In some situations, a user may request that you delete data that could have exemptions or reasons to refuse (among other things, reasons for retaining data include legal, scientific, public interest, or freedom of expression purposes). In the event of any concerns about an individual request, it is best to acknowledge you have received the request and consult your legal counsel about how to proceed.
GDPR Checklist for Completing Data Erasure Requests
These steps provide a general outline for how a company could create a process for responding to data erasure requests. You should consult your legal team about the process to delete certain kinds of data or accounts, confirm an individual’s identity, and respond to requests based on the circumstances of your business.
- Communicate policies with your team about how such user requests should be accepted, acknowledged, and processed if they receive a request that does not come through your standard form or process recommended in your public privacy notice.
- Designate the person(s) responsible for responding to and completing user requests for erasure in a timely manner (this is generally considered to be one month and written as “without undue delay”). Each request should be considered individually on whether the right to erasure or exemptions applies.
- You may respond by requesting more information to enable you to comply with their request and assist you with identifying the personal data to delete. For example, the person may have provided their name, but you may also need to know their email address or birthdate to ensure all information is removed.
- You should take reasonable steps to verify the person requesting erasure is actually the subject of that data. You may need to request proof of their identity to verify data is not deleted for the wrong person.
- Identify where information on the individual is stored. The systems or databases may be different, such as if the individual is a former customer, a sales prospect, or subscribed to an email marketing list.
- Erase the user’s data using the proper process for each database or system. As an example, Hubspot has two options for deleting a contact: one option permanently deletes the contact in a GDPR-compliant way, the other is a noncompliant delete with the ability to restore the data for 90 days.
- When the specified information is deleted, send a receipt to the individual confirming you have erased the data as requested.
How We Handle Data Erasure Requests
In our Privacy Notice, we have a section for The Rights of the User. This is publically available and states that users have the right to:
- Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
Our Privacy Notice then specifies how users can submit a request to our company — though requests can also be received by any individual team member, such as someone in customer success, sales, or marketing.
Getting GDPR Compliant with Carbide
Organizations must be cognizant of their current security systems and data protection frameworks. Carbide helps organizations build a robust, comprehensive security program and implement the necessary data protection controls in their business. With the Carbide platforms automated compliance checks, you can quickly evaluate your current information security framework and prioritize the gaps that may be putting your company at risk. Carbide can assist you with compliance with various frameworks such as SOC 2, HIPAA, ISO 27001, and GDPR.
One easy thing you can do to get started now? Check out our free “GDPR for Beginners” eBook, which includes a 10-item checklist to help you get GDPR compliant now.