How is the Right to Erasure Applied Under the GDPR? A Complete Guide to Organizational Compliance
27 Feb 2025 | Hannaleena Pojanluoma
How is the Right to Erasure applied under the GDPR? The GDPR’s Right to Erasure, also known as the Right to be Forgotten, allows EU citizens to request the deletion of their personal data. This right is an essential part of GDPR’s approach to data protection, giving individuals increased control over how their personal information is managed.
For businesses, however, responding to these requests isn’t that simple. Above all, it can be difficult to identify and securely erase all personal data associated with an individual across organizational systems.
This blog will cover:
- What the Right to Erasure is in a nutshell
- The challenges organizations face in complying
- The benefits of combining advanced search tools with data wiping software
- A step-by-step guide on how to use BCWipe and Search to comply
- Best practices and key considerations
What Is the Right to Erasure Under GDPR?
- What?
Similar to California’s CCPA, the General Data Protection Regulation (GDPR) is a data protection law that applies to organizations processing the personal data of individuals in the European Union. One of its key clauses is the Right to Erasure, also known as the Right to be Forgotten. This allows individuals to request the deletion of their personal data. Organizations must comply with requests if:
- It is no longer necessary for its original purpose
- Consent is withdrawn
- The data was processed unlawfully - When?
The GDPR came into effect on May 25, 2018 after being adopted in April 2016. Since then, organizations that process EU citizens' personal data must comply with its requirements, including handling Right to Erasure requests appropriately. - Who?
The GDPR applies to:
- Any organization, regardless of location, that processes the personal data of individuals in the EU.
- Companies that offer goods or services to EU residents or monitor their behavior.
- Organizations of all sizes, including businesses, non-profits and public institutions.
What Has to Be Deleted Under the GDPR Right to Erasure?
To comply with the GDPR’s Right to Erasure, the main priority is to delete active records from live systems, such as personal data stored in databases, files and customer records.
Backups, on the other hand, may remain until they are overwritten according to the organization’s retention schedule. However, they must be put “beyond use”, meaning they cannot be accessed or processed for any other purpose. Organizations must clearly inform individuals about how their data is handled in backups.
Exceptions to the Right to Erasure
Not all deletion requests must be fulfilled. Organizations can refuse if the data is needed:
- For legal or regulatory compliance (e.g., tax or employment laws)
- For public interest reasons (e.g., health or research purposes)
- To establish, exercise or defend legal claims
How Do I Ensure the Right to Be Forgotten Under GDPR?
To comply with the GDPR’s Right to Erasure, organizations should begin by putting together a clear process for handling deletion requests. Here’s 3 general steps that you can use as a framework for creating your own process.
Steps to Handle GDPR Right to Erasure Requests
1. Verify the Request
Confirm the identity of the requester and ensure their data qualifies for erasure under GDPR regulations. Some data may be exempt from deletion, such as records required for legal obligations or public interest.
2. Locate the Data
Identify where the individual’s data is stored, including local systems, cloud platforms and backups.
3. Delete Securely & Document the Process
Use reliable data wiping methods to ensure permanent removal, preventing unauthorized recovery. You can then keep records of the erasure process for auditing purposes and notify the requester that their data has been deleted.
Challenges of Complying with the Right to Erasure
Complying with the GDPR’s Right to Erasure isn’t as simple as it looks, however. The main challenges you’re likely to face generally fall into 2 main categories: identifying and finding personal data, and permanently deleting it to ensure compliance.
1. Identifying & Finding Personal Data
Personal data is often spread across multiple systems, including employee devices, cloud storage, backups and legacy databases. This makes it difficult to track down all instances of an individual’s data.
The challenge is even greater for organizations using older or incompatible data storage systems that were not designed for easy retrieval or deletion. Backups present a particular difficulty, as they are intended for data recovery rather than modification, meaning that if the rights tools are not used then data may remain stored even after a deletion request is processed. This brings us to the second challenge.
2. Permanently Deleting Data
Once data is identified, organizations must ensure it is securely erased. Simply deleting files isn’t enough, as data remanence may remain, creating compliance and security risks.
Benefits of Using a Combined Approach
To overcome these challenges, organizations need to use reliable tools that not only locate personal data across all systems, but also ensure its secure and irreversible deletion. This is simplest when using a solution that incorporates both advanced search tools and data wiping software, like BCWipe.
By combining advanced search features with trusted data wiping software, organizations can easily respond to deletion requests and ensure compliance with the GDPR’s Right to Erasure. Using this kind of integrated approach removes human error and the process of transferring search results to a separate deletion tool, which can be tedious and prone to mistakes like data mismatches or incomplete removals. With a combined solution, businesses can:
- Streamline operations
- Respond to erasure requests more efficiently
- Minimize the risk of errors
Overall, this approach strengthens data protection strategies, reduces the risk of compliance failure and enhances customer trust.
A Step-by-Step Guide on How to Comply with GDPR’s Right to Be Forgotten
To comply with the GDPR’s Right to Erasure, organizations must securely locate and delete personal data upon request. Here’s how to efficiently achieve this in 3 steps:
Step 1: Select PII Preset & Keyword
BCWipe’s Search feature helps identify sensitive data quickly. To fulfill a Right to Erasure request, start by selecting the ‘Personal Identifiable Information (PII)’ preset to locate specific types of PII, for example Social Security Numbers or tax IDs. Then, enter a relevant keyword – such as the name of the individual requesting data deletion. In this example, the person’s name is John Smith.
Step 2: Check Search Results
Once the search is complete, all files containing PII related to the keyword will be displayed in the ‘Search Results’ field. Carefully review these files to verify the data before proceeding with deletion.
Step 3: Delete Selected Files
Select the files you wish to erase by ticking the checkboxes, then click ‘Wipe’ to initiate secure deletion. BCWipe permanently removes files beyond forensic recovery, ensuring full compliance with the GDPR’s Right to Erasure.
Best Practices & Key Considerations
Using advanced search tools and data wiping software is a great start, but organizations could also think about implementing the following practices to help comply with the GDPR’s Right to Erasure:
- Training & Policy Development
Establish clear data management policies and provide employees with regular training on how to handle deletion requests. Well-defined procedures help ensure consistency in identifying, processing and securely erasing personal data in accordance with GDPR requirements. - Deletion Logs
Keep comprehensive records of erasure requests and the actions taken to fulfill them. Maintaining logs boosts transparency and allows you to clearly show customers that their data has been securely moved, leading to improved trust. Logs also help with compliance reporting and providing documentation in case of regulatory audits or inquiries. - Cyber Hygiene
Regularly audit IT systems, update data retention policies and map data flows to improve efficiency in handling erasure requests. Strong cyber hygiene practices, like routine system maintenance and structured data organization, prevents errors in data deletion and reduces the risks of residual information hanging around, either of which could lead to non-compliance.
Achieve GDPR Compliance with BCWipe
For over 20 years, BCWipe has been trusted by the U.S. Department of Defense to securely wipe files and data remanence beyond forensic recovery. Compliant with key standards like the U.S. DoD 5220.22-M, IEEE 2883-2022 and NIST 800-88, BCWipe offers reliable data protection.
By choosing BCWipe, organizations gain access to advanced tools such as the Search feature and centralized management for remote wiping and software control.
Want to try out BCWipe and the new Search feature? Contact our Data Protection Specialist today to request a free trial or demo.
Hannaleena Pojanluoma has been leading Jetico as CEO since May 2023, bringing with her more than 20 years of sales, marketing and technology experience. Previously working for a range of international companies in her native Finland, Pojanluoma has a broad understanding of diverse international markets.
Pojanluoma has been essential in driving sales growth since joining Jetico in October 2015. Her efforts have been concentrated on boosting sales and brand awareness in key European countries such as the United Kingdom, Germany and Italy.
As a member of Jetico's Board of Directors, she joins influential figures such as Tommi Rasila and Umeshchandra Gowda.
