Under global privacy laws, consumers have the right to submit data deletion requests. This means companies must delete all the data contained on the user throughout their systems. This article will cover how businesses can execute deletion requests properly, what process it requires, and what most companies get wrong about data deletion.
A data deletion request, also known as an erasure request, is a type of data subject request (DSR) granted by global privacy laws. When a consumer submits a data deletion request, they are asking the company to delete all of the personal data on them, across all business systems.
Due to the rise of data privacy laws in recent years, honoring consumers’ deletion requests has become a vital compliance requirement for any company processing consumers’ personal data.
Regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) require businesses to fulfill users’ deletion requests. Failure to address this obligation can result in substantial punitive fines.
Depending on the privacy law, consumers have the right to access, correct, delete, and receive their data in a machine readable format, or all of the above, and more. Here’s a list of the data subject rights granted by GDPR, CCPA, and LGPD.
|• The right to be informed;
• The right to access;
• The right to rectification;
• The right to erasure;
• The right to restrict processing;
• The right to data portability;
• The right to object to processing;
• The right to not be subjected to automated decision making, including profiling.
|• The right to know;
• The right to access;
• The right to correct;
• The right to delete;
• The right to data portability;
• The right to opt-out of data sales and sharing.
|• The right to confirm of the existence of data processing;
• The right to access the data;
• The right to correct incomplete, inaccurate, or out-of-date data;
• The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
• The right to the portability of data to another service or product provider, by means of an express request;
• The right to delete personal data processed with the consent of the data subject;
• The right to information about public and private entities with which the controller has shared data;
• The right to information about the possibility of denying consent and the consequences of such denial;
• The right to revoke consent.
Before considering how your company can address individual data subject rights, you should make sure that you have a clear understanding of your organization’s existing data infrastructure.
You can find out more about data mapping in our guide to building a company data map.
Of all the data subject rights consumers are granted, data election is the most complex subject request to fulfill. Processing erasure requests requires a clear understanding of data erasure and what it entails. We’ll dive deeper into this in the next section.
Most people are surprised to learn that when you receive a deletion request, you don’t actually need to erase all of the users’ data in your business systems. Rather, you must delete any PII that can be linked back to an individual’s identity.
As such, you may retain certain fields of behavioral, financial, or transactional data if it is deemed necessary for your business to continue operations (i.e. a legitimate business interest), provided it does not reveal the individual’s personal identity.
This subtle distinction has big implications for how a privacy-compliant business operates. Below, we break down some key considerations that should be made when creating deletion request systems that are compliant with privacy regulations.
An individual may submit a deletion request either verbally or in writing. It can be made to any part of your organization and does not have to be made to a specific point of contact.
Businesses must have an internal policy in place that details how to recognize an erasure request, i.e. how to record such requests in an auditable log and how to have such requests appropriately actioned by your organization. A record of erasure activity should be stored in a secure format.
You should prioritize any request relating to the erasure of a child’s personally identifiable information. Data privacy laws provide stronger protections on children’s data.
If your company receives a deletion request, you must be transparent with the requestor by detailing what will happen to the data when the request is fulfilled. You should always verify the identity of the individual first in order to confirm they are who they claim to be.
Once identity verification is completed, you’ll then need to erase all personal data belonging to that user from your organization’s databases and any systems that contain copies of the data. This includes live systems, as well as backups.
Erasure may be possible instantaneously for live systems, but there may need to be a backup system for a certain period of time until it is overwritten. If this is the case, you’ll need to put the backup data “beyond use.”
Putting data “beyond use” means that:
Erasing this data must not be reversible in order for this process to be compliant with data privacy laws.
If your organization receives an erasure request, the timeframe to respond depends on the privacy law. If your company processes a user’s data from a specific jurisdiction, you must respond within the time period specified in that regulation.
For example, if you process the personal data of a customer from Brazil, you must complete their data deletion request within 15 days. Here’s a list of compliance times and fines across global privacy laws for deletion requests.
|Data Subject Right
|The right to erasure
|The right to delete
|The right to delete personal data processed with the consent of the data subject
|Time given to comply with Data Subject Access Request
|Maximum fine if right is violated
|State bodies can be fined up to €1 million for failure to meet their obligations.
Multinationals can be fined up to €20 million, or four percent of their previous year’s turnover.
|Unintentional violators can be fined up to $2,500 per individual affected, per violation.
Intentional violators can be fined up to $7,500 per violation.
|2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million Brazilian reals.
For many businesses, hard-deleting an individual’s data from a single database can cause a ripple effect across dependent systems, and generate referential integrity issues in your databases that render other, non-personal data unusable.
For example, an online store may use an individual’s email address – a piece of PII – as the foreign key to link to a database with their order info database. In case of an erasure request, they’d need to make the PII unusable without impacting the linked information.
If an order is linked to an individual’s personal data using a foreign key as the reference point, you may run the risk of making the order data unusable if you simply delete the individual’s PII.
In order to uphold referential integrity while remaining compliant, consider implementing one-way data masking as part of your erasure strategy. This refers to the process of hiding or obfuscating original data with modified content that makes it impossible to retrieve.
In practice, this means encrypting or masking the data so that it cannot be used to identify the individual to whom it belongs. This removes all personal identifiers and reduces the risk of indirect identifiers being used to connect any stored data to a particular user.
This strategy is allowed under the GDPR, CCPA, and LGPD, provided that the masking is irreversible.
As a final part of the erasure process, your company should also make sure that it doesn’t re-collect a data subject’s PII if they have submitted a request in the past. This means putting a data suppression system in place to prevent the processing of an individual’s data where that data is automatically collected or received from third-party data providers.
Ensuring that a user is “suppressed” from business systems means that their data is no longer used in business processes and will not be re-included at a later date. In short, it means that the person exercising their right to be forgotten stays forgotten.
If you want to retain the value of your company’s collected data while honoring users’ deletion requests in a seamless and secure way, check out the Fides privacy engineering automation platform to automate deletion requests.
To find out more about implementing effective systems for data deletion requests, schedule a free 15-minute call with one of our privacy deployment specialists today.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo