Right to Erasure
A data subject's right under GDPR (Article 17) to request the deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when the data was unlawfully processed. Also commonly known as the 'right to be forgotten.'
The right to erasure, codified in GDPR Article 17, empowers individuals to request the deletion of their personal data under specific circumstances. These include situations where the data is no longer necessary for its original purpose, where the individual withdraws consent and no other legal basis for processing exists, where the individual objects to processing and there are no overriding legitimate grounds, where the data was unlawfully processed, or where deletion is required to comply with a legal obligation. The right is not absolute — organizations can refuse erasure requests when the processing is necessary for exercising freedom of expression, complying with legal obligations, public interest in public health, archiving in the public interest, or establishing and defending legal claims.
Implementing the right to erasure presents significant technical challenges, particularly for organizations with complex data architectures. Personal data may be spread across production databases, backups, logs, analytics systems, third-party processors, and data warehouses. Organizations must develop processes to identify all locations where an individual's data resides, execute deletion across all systems, handle cascading dependencies (such as referential integrity in databases), and manage backup retention timelines. A common approach is to implement soft deletion or anonymization where immediate physical deletion from all systems (particularly backups) is impractical, provided the data is effectively rendered non-identifiable.
From a compliance operations perspective, organizations should establish clear procedures for receiving, validating, and fulfilling erasure requests within the GDPR-mandated 30-day response period. This includes identity verification to prevent unauthorized deletion requests, a defined escalation process for requests where exceptions may apply, technical mechanisms to propagate deletion to all data processors, and documentation of each request and its outcome for accountability purposes. ISO 27001's asset management and data handling controls support this capability by requiring organizations to maintain an inventory of information assets and manage their lifecycle. Building erasure capabilities into systems from the start — as part of privacy by design — is far more cost-effective than retrofitting them later.
Related frameworks
Related terms
Consent Management
The processes, tools, and policies an organization uses to collect, record, manage, and honor individuals' consent for the processing of their personal data, ensuring compliance with requirements for freely given, specific, informed, and unambiguous consent.
Data Minimization
The principle that organizations should collect, process, and retain only the minimum amount of personal data necessary to fulfill a specific, stated purpose. Data minimization limits exposure risk by ensuring unnecessary data is never gathered in the first place.
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Data Processor
Under GDPR, an entity that processes personal data on behalf of a data controller. The processor acts on the controller's instructions and must not process data for its own purposes. A Data Processing Agreement (DPA) governs the relationship between controller and processor.
Privacy by Design
An approach to system engineering and business practices that embeds privacy protections into the design and architecture of IT systems, processes, and products from the outset, rather than adding them as an afterthought.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment