The Right to Erasure: How to Handle 'Delete My Data' Requests Under POPIA and GDPR
How to handle 'delete my data' requests from clients under POPIA and GDPR. Learn when you must comply, when you can refuse, and how to respond properly.
Someone wants their data deleted — what now?
Sooner or later, a client, ex-client, or prospect will ask you to delete all their personal information. Under POPIA and GDPR, this is a legal right. Getting it wrong — refusing incorrectly or deleting data you were legally required to keep — can cause real problems.
When you MUST delete the data
You must delete personal data when a valid erasure request is made and: the data is no longer necessary for the purpose it was collected for; the person withdraws consent and there is no other lawful basis; the person objects to processing and there are no overriding legitimate grounds; or the data was processed unlawfully.
When you can DECLINE to delete
You are not required to delete data if you have a legitimate legal reason to retain it. Common grounds: Legal obligation — SARS requires financial records for 5 years; HMRC for 6 years. You cannot delete invoices in this window. Legal claims — if there is an ongoing dispute or likelihood of litigation. Active contract — if the data is necessary to fulfil a current contract. If you decline, you must inform the person of your reasons and their right to complain to the regulator.
Step-by-step: handling an erasure request
- Verify identity — confirm who is making the request before taking any action
- Respond within one month — both POPIA and GDPR require a response within one calendar month; you can extend by two further months for complex cases but must notify within the first month
- Identify all data you hold — search CRM, email, invoicing software, accounting records, spreadsheets, cloud storage
- Determine what can and cannot be deleted — apply the rules above; financial records stay, inactive contact records typically go
- Delete what you can, retain what you must — consider anonymising retained data where possible
- Notify third parties — inform any service you've shared the person's data with and ask them to delete their records
- Confirm in writing — send written confirmation of what was deleted, what was retained and why, and who was notified
Set up a simple erasure procedure now
Create a dedicated email address for data requests (e.g. privacy@yourbusiness.co.za), write a one-page internal procedure, and document where all your personal data lives. This takes an hour once and saves significant stress when a request arrives.