Right to Erasure: Definition and Use in Compliance

What is Right to Erasure?

Right to erasure is the legal right of an individual to have their personal data deleted by an organization when continued processing can't be justified. In the EU, it lives in Article 17 of the General Data Protection Regulation (GDPR). The UK GDPR mirrors it, and the California Consumer Privacy Act offers a comparable but narrower deletion right.

A request triggers the right under specific conditions. The data is no longer necessary for the purpose it was collected. The person withdraws consent and no other legal basis applies. They object to processing and the organization has no overriding legitimate grounds. Or the data was processed unlawfully in the first place.

Here's the part compliance officers care about most: the right has limits. Article 17(3) carves out situations where erasure does not apply, including compliance with a legal obligation and the establishment or defense of legal claims. For a bank, that's decisive. Anti-money laundering law requires retaining Know Your Customer (KYC) records and transaction data for years after an account closes.

Consider a customer who closes their account and demands full deletion. The marketing database can be wiped. The AML transaction records cannot, because the bank has a statutory duty to keep them. The correct response is partial erasure with a clear written explanation of what survives and why. Getting this wrong in either direction (over-deleting evidence or ignoring a valid request) creates regulatory exposure on two fronts.

How is Right to Erasure used in practice?

In daily operations, an erasure request becomes a timed workflow with a one-month statutory clock. The privacy or compliance team verifies the requester's identity first, because deleting the wrong person's data is itself a breach. Then they map where the data lives.

That mapping is harder than it sounds. Personal data scatters across core banking, CRM, email platforms, Case Management systems, backups, and third-party processors. Without a reliable data inventory and Data Lineage records, teams miss copies and fail the request silently.

The pivotal decision is the retention check. If the individual appears in a filed Suspicious Activity Report (SAR) or is under active Enhanced Due Diligence (EDD), the underlying records are protected from deletion. Tipping-off rules add a wrinkle: the bank can't reveal that a SAR exists, so the erasure response must be carefully worded to avoid disclosing the investigation.

Take a real scenario. A customer flagged for Sanctions Screening review files an erasure request. The team partially fulfills it by removing marketing preferences and cookie data, while retaining identity records, transaction logs, and the screening case file. They document each retained category against its legal basis, then apply a suppression flag so the contact isn't re-added by a future data import.

Strong teams maintain a retention matrix mapping every data type to its hold period and statute. Pair that with automation tied to your Audit Trail, and an analyst resolves most requests in under an hour instead of chasing records across a dozen systems.

Right to Erasure in regulatory context

The right to erasure sits inside a web of overlapping rules, and the conflicts are real. GDPR Article 17 grants the right. GDPR Article 17(3) and national AML laws claw much of it back for regulated firms. The job is reconciling the two, request by request, with evidence.

The European Data Protection Board has published guidance confirming that legal retention obligations override erasure, and the UK's Information Commissioner's Office takes the same position. You can read the ICO's published guidance on the right to erasure directly at the Information Commissioner's Office. The Financial Action Task Force (FATF) Recommendation 11 sets the global standard requiring financial institutions to keep transaction records for at least five years, which directly limits how far erasure can reach.

This creates a clean rule of thumb for Anti-Money Laundering (AML) teams. Data needed for Counter-Financing of Terrorism (CFT) recordkeeping, regulatory reporting, or potential investigation stays put for the mandated period. Once that period lapses and no other basis applies, the same data becomes erasable, and many banks then auto-purge it.

A practical example: a former customer's Currency Transaction Report (CTR) filings can't be deleted on demand because BSA recordkeeping rules govern them. After the statutory retention window closes, the records can be destroyed under the bank's own schedule, which satisfies both the privacy obligation and the financial crime obligation. Documenting that lifecycle is what examiners and data protection authorities both want to see.

Common challenges and how to address them

The first challenge is finding all the data. Personal information hides in backups, log files, vendor systems, and unstructured documents. The fix is a maintained data inventory plus Data Lineage mapping, so a search returns every location rather than the obvious ones. Treat backups explicitly: most authorities accept that data in backup can be put "beyond use" and deleted on the next cycle, provided you document the approach.

The second challenge is the retention conflict. Teams either over-delete (destroying evidence a regulator expects) or over-retain (ignoring valid privacy rights). A documented retention matrix tied to each statute resolves most of this. When a request touches data under Know Your Customer (KYC) or active investigation, the answer is automatic: retain, document, partially fulfill the rest.

Third, tipping-off risk. If the person is linked to a Suspicious Activity Report (SAR), your response wording must not reveal the filing. Train staff on approved language and route these requests through compliance, not a general support queue.

Fourth, third-party processors. Under GDPR, the controller must instruct processors to delete data too. Build erasure obligations into vendor contracts and use Third-Party Risk Management (TPRM) reviews to confirm vendors can actually execute deletion.

A worked example: a fintech receives 200 erasure requests after a marketing campaign backlash. Manual handling would blow the deadline. They use their retention matrix and automated suppression, fulfilling the marketing-only requests within days while routing the handful tied to open Transaction Monitoring cases to compliance for documented partial responses.

Related terms and concepts

Right to erasure is one of several data subject rights under privacy law, and it connects tightly to financial crime concepts. Understanding the neighbors helps teams apply it correctly.

On the privacy side, it works alongside Data Minimization, which reduces how much personal data you hold in the first place, making erasure requests simpler to satisfy. Pseudonymization and Tokenization offer alternatives to outright deletion when you need to retain analytical value while reducing identifiability. The Data Protection Officer (DPO) owns oversight of these rights, and the distinction between the GDPR Data Controller and GDPR Data Processor determines who must act on a request.

On the financial crime side, erasure runs straight into recordkeeping duties tied to Customer Due Diligence (CDD), KYC, and the broader Financial Crime Compliance (FCC) mandate. Records supporting a Suspicious Activity Report (SAR) or held as WORM Storage (Write Once Read Many) evidence are protected from deletion during their retention period.

Adjacent regulatory frameworks matter too. The California Consumer Privacy Act (CCPA) grants a parallel deletion right with its own exemptions, and Data Residency rules affect where deleted-versus-retained data physically sits.

For teams modernizing their approach, pairing a clean retention schedule with strong Identity Verification and KYC/AML Automation shortens both onboarding and the data-handling lifecycle that erasure requests eventually test.