Deletion Request

A request from an individual to delete their personal data, exercising rights under privacy laws like GDPR's right to erasure or CCPA's right to delete. Upon receiving a deletion request, organizations must verify the requester's identity, identify all personal data about the requester, assess whether exceptions apply (like legal obligations to retain data), delete applicable data across all systems, instruct processors and third parties to delete data, and confirm deletion to the requester within required timeframes. Not all data must be deleted—exceptions exist for completing transactions, legal compliance, fraud detection, free speech, internal use aligned with consumer expectations, and other specified purposes. Organizations should implement deletion procedures, document exceptions clearly, train staff on handling requests, use technology to facilitate comprehensive deletion, and maintain records of deletion requests and responses. Effective deletion requires understanding where data resides across complex IT environments.