GRCWatch
Sign inStart free trial

GDPR A17-01: Right to Erasure (Right to be Forgotten)

The right to erasure is a cornerstone of GDPR that obligates organizations to delete personal data upon request under specific conditions. Failing to implement this control exposes you to regulatory fines and data breach liability. This guide walks you through the legal requirements and practical steps to build a compliant data deletion process.

What this means

Right to Erasure requires you to erase personal data without undue delay when: the data is no longer necessary for its original purpose; consent is withdrawn and no other legal basis exists; the data subject objects and there are no overriding legitimate grounds; data has been unlawfully processed; or erasure is required by applicable law. You must also notify third parties who received the data, unless doing so is impossible or disproportionate. Some exceptions apply—you may retain data for legal compliance, public interest, or exercise of rights.

How to comply

  1. 1.Establish a documented data deletion request process that captures and logs all erasure requests with timestamps
  2. 2.Create a data inventory mapping where personal data is stored across systems, databases, and third-party tools
  3. 3.Define response timelines (typically 30 days) and assign clear ownership for processing deletion requests
  4. 4.Implement automated deletion workflows where feasible; manually delete data in legacy or disconnected systems
  5. 5.Identify and document exceptions to erasure (legal holds, backup retention, contractual obligations)
  6. 6.Notify all downstream data processors and third parties who received the data of the deletion request
  7. 7.Verify deletion completion and maintain audit records showing what was deleted, when, and by whom
  8. 8.Train staff on how to validate erasure requests and handle edge cases (archived data, backups)

Evidence auditors look for

  • Data subject access request (SAR) process document with deletion request handling procedures
  • Deletion request log showing date received, individual submitting request, data categories affected, and completion date
  • Data inventory or mapping document identifying all systems holding personal data
  • Automated deletion scripts or API configurations that trigger data removal from primary systems
  • Notification records sent to third-party processors confirming deletion requests forwarded to them
  • Backup retention policy specifying how and when archived personal data is permanently purged
  • Audit trail or deletion certificate confirming data was removed from all systems
  • Training records for staff on GDPR right to erasure and request handling procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data inventory mapping and deletion request workflows, helping you track erasure requests across all systems and generate audit-ready deletion records in minutes instead of weeks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A15-01 — Right of AccessGDPR A16-01 — Right to RectificationGDPR A21-01 — Right to ObjectGDPR A4-01 — Lawful Basis for ProcessingGDPR A32-01 — Security of Processing