Compliance
GDPR Right to Erasure: How to Find and Delete Data
When a customer invokes their right to erasure under GDPR Article 17, you have 30 days to find and delete every piece of their data across every system. Here is how to actually do it without missing anything.
What Article 17 Actually Requires
Article 17 of the General Data Protection Regulation gives individuals the right to have their personal data erased by any organization that holds it. This right is commonly called the "right to be forgotten," though the legal text uses the more precise term "right to erasure." When a data subject submits a valid erasure request, you must delete all of their personal data without undue delay, which the regulation defines as within one calendar month. Extensions of up to two additional months are permitted for complex requests, but you must notify the individual within the first month that you need more time.
The scope of erasure is comprehensive. It applies to all personal data you hold about the individual, across all systems, in all formats. This includes structured database records, CRM entries, email marketing lists, spreadsheet files, ad platform audiences, support ticket archives, and any other location where their data appears. If you have shared the individual's data with third parties, Article 17(2) requires you to take reasonable steps to inform those third parties that the data subject has requested erasure.
There are specific grounds under which erasure must be carried out: the data is no longer necessary for its original purpose, the individual withdraws their consent, the individual objects to processing and there is no overriding legitimate interest, the data was processed unlawfully, or erasure is required to comply with a legal obligation. Understanding these grounds is important because they determine whether you must comply with a given request.
When You Can Refuse an Erasure Request
The right to erasure is not absolute. Article 17(3) lists several exceptions where you can lawfully refuse a deletion request. You may retain data when it is necessary for exercising the right of freedom of expression, for compliance with a legal obligation that requires processing under EU or member state law, for reasons of public interest in the area of public health, for archiving purposes in the public interest, for scientific or historical research purposes, or for the establishment, exercise, or defense of legal claims.
In practical terms, the most common exception for businesses is legal compliance. Tax records, financial transaction histories, and employment records often must be retained for specified periods regardless of erasure requests. If you are legally required to keep a record for seven years, you can retain it while deleting all other data about the individual. However, you must inform the data subject about which data is being retained and the legal basis for the retention.
When you refuse a request, you must inform the individual of the reasons for the refusal and their right to lodge a complaint with a supervisory authority. Vague or unsubstantiated refusals are treated as non-compliance. Document every refusal decision with the specific legal basis and retain that documentation for your records.
The Operational Challenge: Scattered Data
The legal requirements of Article 17 are straightforward. The operational challenge is enormous. In a typical small to mid-size business, a single customer's data can exist in a dozen or more locations: your CRM, email marketing platform, e-commerce system, customer support tool, accounting software, spreadsheet exports, CSV files on local drives, shared cloud folders, ad platform audiences, analytics tools, and email threads containing attachments with customer data.
The spreadsheet problem is particularly severe. Every time someone exports data from a system for a one-time analysis, a direct mail campaign, or a management report, a new untracked copy of personal data comes into existence. These files are rarely logged in any data inventory. They sit on individual laptops, in shared Dropbox folders, and in Google Drive directories with permissive sharing settings. When an erasure request arrives, these orphaned spreadsheets are the records most likely to be missed.
Data inconsistency makes the problem worse. The same person might appear as "Maria Garcia" in your CRM, "M. Garcia" in a spreadsheet export, "maria.garcia@company.com" in your email tool, and "Garcia, Maria" in your accounting system. A simple search for "Maria Garcia" will miss records stored under variant forms. You need fuzzy matching and cross-referencing to find every instance, which is exactly the kind of deduplication challenge that data cleaning tools are designed to solve.
Step-by-Step: Handling an Erasure Request
Step 1: Receive and Log the Request
When an erasure request arrives, whether by email, web form, postal mail, or phone, log it immediately in your request tracking system. Record the date received, the identity of the requester, the specific data they want deleted, and the communication channel they used. The 30-day clock starts on the day you receive the request, so accurate date tracking is essential. Assign an owner to the request who will be responsible for seeing it through to completion.
Step 2: Verify the Requester's Identity
Before deleting any data, you must verify that the person making the request is the data subject or an authorized representative. The verification process should be proportionate to the sensitivity of the data. For low-risk data, confirming the request came from the email address associated with the account may be sufficient. For sensitive data, you might require additional verification such as a government-issued ID or answers to security questions. Do not ask for more information than necessary, as excessive identity verification can itself be a GDPR violation.
Step 3: Locate All Data for the Individual
This is the hardest step. Using the data map from your PII audit, search every system and file type for records associated with the individual. Search by name, email address, phone number, customer ID, and any other identifier you have on file. Use fuzzy matching to catch variations in name spelling and formatting. Check free-text fields, notes columns, and attachment contents, not just structured data fields.
For spreadsheets and CSV files, this means searching across every file in your organization's shared drives and cloud storage. A manual search of dozens or hundreds of files is impractical. This is where automated tools become essential. NoSheet's cross-platform search lets you scan all connected data sources simultaneously, finding every record associated with an individual regardless of which system it lives in or what format the data uses.
Step 4: Determine What Can and Cannot Be Deleted
Review each identified record against the exceptions in Article 17(3). Financial transaction records may need to be retained for tax compliance. Employment records may be subject to statutory retention periods. Support ticket content may be needed for ongoing legal matters. For each record, document whether it will be deleted or retained, and if retained, the specific legal basis for retention.
Step 5: Execute the Deletion
Delete the identified records from each system. For databases and CRM systems, this typically means using the platform's built-in deletion function. For email marketing platforms, unsubscribe and delete the contact. For spreadsheets, delete the rows containing the individual's data from every copy of every file. For ad platform audiences, remove the individual from all uploaded custom audiences.
Deletion must be genuine, not just a soft delete or archival. The data must be rendered irrecoverable. For spreadsheets, this means deleting from the active file, emptying the trash or recycle bin, and ensuring that backup copies are also updated. For cloud-hosted files, check the version history and ensure old versions containing the data are purged.
Step 6: Notify Third Parties
If you have shared the individual's data with third parties, inform them of the erasure request. This includes marketing agencies, ad platforms, payment processors, analytics providers, and any other entity that received the individual's personal data from you. Keep records of these notifications and any responses from the third parties confirming deletion.
Step 7: Confirm Completion to the Data Subject
Once all deletions are complete, send written confirmation to the data subject. The confirmation should state what data was deleted, from which systems, and if any data was retained under an exception, the legal basis for retention. This confirmation should be sent within the 30-day deadline or within the extended period if an extension was communicated.
Step 8: Document for Audit
Maintain a complete record of the entire erasure process: the original request, identity verification steps, the data map showing where records were found, the deletion actions taken, any retention decisions and their legal basis, third-party notifications, and the confirmation sent to the data subject. This documentation is your evidence of compliance if a supervisory authority ever investigates.
Response Timeline
| Milestone | Deadline | Action Required |
|---|---|---|
| Request received | Day 0 | Log request, assign owner, start clock |
| Identity verified | Day 1-5 | Confirm requester identity proportionately |
| Data located | Day 5-15 | Search all systems, map all records found |
| Retention review | Day 15-20 | Document exceptions, get legal sign-off if needed |
| Deletion executed | Day 20-25 | Delete from all systems, purge backups |
| Third parties notified | Day 25-28 | Inform all recipients of the data |
| Confirmation sent | Day 30 (max) | Written confirmation to data subject |
Erasure Request Response Template
Subject: Confirmation of Data Erasure - Request #[REF]
Dear [Name],
We confirm that your erasure request dated [DATE] has been
processed. The following actions have been taken:
- Personal data deleted from: [list systems]
- Third parties notified: [list parties]
- Data retained under legal obligation: [if any, with basis]
If you have questions about this process, contact our Data
Protection Officer at [DPO email].
How NoSheet Streamlines Erasure Compliance
The most time-consuming part of any erasure request is Step 3: locating all data for the individual. NoSheet reduces this from days of manual searching to minutes of automated scanning. By connecting your CRM, email platform, e-commerce system, and spreadsheet files to NoSheet, you create a searchable index of all personal data across your organization.
When an erasure request arrives, you search for the individual using any identifier, such as name, email, or phone number. NoSheet's deduplication engine uses fuzzy matching to find all records, even those with variant spellings or formatting differences. The results show exactly which systems contain the individual's data, what type of data each system holds, and the specific records that need to be deleted.
NoSheet's PII detection ensures that you do not miss personal data hiding in unexpected columns. Free-text fields, notes columns, and custom fields are all scanned. The audit trail feature creates a record of every search and deletion action, providing the documentation you need for compliance verification. Combined with regular data cleaning, your data ecosystem stays organized and auditable, making future erasure requests faster and less error-prone.
Penalties for Non-Compliance
Failing to comply with an erasure request can result in severe financial penalties. GDPR fines for Article 17 violations fall under the higher tier: up to 20 million euros or 4% of annual global turnover, whichever is greater. Supervisory authorities have demonstrated willingness to impose significant fines. In practice, fines for erasure failures have ranged from tens of thousands to millions of euros depending on the severity, the number of affected individuals, and whether the controller demonstrated good faith efforts to comply.
Beyond fines, non-compliance damages customer trust and brand reputation. Data subjects who submit erasure requests and receive no response or an inadequate response often file complaints with supervisory authorities and share their experience publicly. Proactive compliance, including timely responses and transparent communication, builds trust and demonstrates that your organization takes data protection seriously.
Handle Erasure Requests with Confidence
Connect your data sources and find every record for any individual in seconds. No manual searching, no missed records, no compliance risk.
Search Your Data Now