GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for six years) then consider restricting the processing, such as moving to archiving.
The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.
Once you have established the legal requirements for processing, you should look at anonymised tracking for a limited timeframe. You should inform the individual that after a specific point in time, there will be no evidence of either the data or their request to remove the data.
If you have mailing lists, and an individual wishes to become unsubscribed, then you have a legitimate interest to keep their details under a "do not email" list, which will ensure you maintain compliance by not inadvertently emailing them again in the future.
This is similarly the case where someone asks for their data to be deleted. You may need a record of this deletion and their details so that if you need to roll back data, you can ensure you remove them again to prevent breach or use of their data in the future.
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales
For more data protection and GDPR advice and support, contact our specialist team on 0151 659 1070 or complete our online enquiry form for a free consultation.
