Fancy a treasure hunt?

18 May 2026

Did you know the GDPR gives people the right to ask any organisation to delete all their personal data? And you have one month to respond. It’s called “the right to be forgotten” (something we’ve all wished for at some point).

But, deleting records and erasing all of someone’s data are two completely different things.

Imagine an old customer sends you a deletion request. You go into your website’s database and remove their account. Job done? Not really. That customer’s email address is probably still in your marketing software, maybe your CRM. Their purchase history might be in your accounting app. Their previous emails to you in a backup somewhere. A comment about their order in an internal Teams channel. You get the idea…

You may have deleted a website account but their data is still all over the place.

This is the situation most organisations only discover when they suddenly get their first deletion request and have to start looking.

And looking can turn into quite an adventure because most organisations don’t have a clear map of where personal data lives. It accumulates over years, across tools, even across people who’ve left since.

The GDPR’s Article 17 requires you to erase that personal data from everywhere you hold it. That includes sub-processors you sent it to.

Now, there are certain situations where you have a legal obligation to keep the data: financial compliance, ongoing contracts, and “legitimate interest” (that’s a complicated one, and for another day).

But, in all cases, you have to actively assess this and be able to explain your reasoning. You can’t ignore requests or simply delete the main account and pray.

What I’m really saying is: if someone asked you to delete their data today, would you know where to look? Do you have a map and a process or would you be running around like a dog chasing cars?

If you have no idea, it’s time to write that procedure and, as I’ve said before, stop hoarding data you don’t need. The less you collect, the less you have to find when someone asks you to zap it.

Colin

Back to archive