Right to Erasure: Definition and Use in Compliance

What is Right to Erasure?

Right to erasure is the legal right of an individual to demand that an organization delete their personal data. It's codified in Article 17 of the General Data Protection Regulation (GDPR), which took effect across the European Union in May 2018. The right applies in six specific circumstances: the data is no longer necessary for its original purpose; the individual withdraws consent and no alternative legal basis exists; the individual objects to processing under Article 21 and the controller has no overriding grounds; the data has been processed unlawfully; deletion is required under EU or member-state law; or the data was collected from a child in connection with digital services.

The right has firm limits. Article 17(3) provides five categories of exemption, including freedom of expression, compliance with a legal obligation, public health, scientific or historical research in the public interest, and the establishment or defense of legal claims. For financial institutions, the legal obligation exemption does the most work. AML record-keeping requirements, whether under the EU's Anti-Money Laundering Directives or FinCEN's Bank Secrecy Act rules, typically mandate retention for five years after the end of a business relationship and often longer after a suspicious activity report is filed.

A concrete example: a former retail banking customer submits an erasure request six months after closing their account. The bank's CDD files, transaction history, and any Suspicious Activity Report (SAR) filed on that customer remain subject to mandatory retention. The bank must respond within one month, explain the legal basis for keeping the data, and confirm what, if anything, it has deleted. Marketing preferences and non-regulated records are fair game for immediate deletion.

Equivalent rights now exist in the California Consumer Privacy Act (CCPA) at Section 1798.105, Brazil's LGPD, India's Digital Personal Data Protection Act 2023, and Canada's proposed Bill C-27. The response windows, exemptions, and scope differ enough that institutions operating across jurisdictions need separate response workflows. A 30-day GDPR response window and a 45-day CCPA window handled by the same team requires careful intake triage from the start.

The ICO's Right to Erasure guidance is the most operationally detailed published resource from a major supervisory authority and is worth reading even for non-UK teams.

How is Right to Erasure used in practice?

The process starts when a data subject submits a request. Most banks route these to the Data Protection Officer or a dedicated privacy operations team. The GDPR clock starts on the day of receipt. One month is standard, extendable to three months for genuinely complex cases, provided you notify the requestor within the first 30 days.

Step one is a retention obligation check. If the individual has an open account, an active Customer Due Diligence (CDD) file, or appears in any AML case records, the legal obligation exemption under Article 17(3)(b) almost certainly applies. The bank must document this clearly: which specific regulation requires retention, what data categories are affected, and for how long. Telling a requestor "we're keeping everything for legal reasons" without specifying the regulation is itself a GDPR violation.

Where erasure is legitimate, the deletion must cover all systems: CRM, marketing platforms, email archives, backup tapes, and any third-party processors who received the data. Live systems can usually be cleaned within days. Backup media is operationally harder. Many institutions run monthly or quarterly backup cycles, and tapes may not be overwritten for 12 to 24 months. European data protection authorities have accepted that backup deletion may lag behind live systems, but they expect a documented schedule and controls that prevent erased data from being inadvertently restored.

Automated data discovery is now standard practice at any institution handling significant volumes of erasure requests. Without a complete data map, you cannot confirm deletion. We've seen mid-sized banks discover that a customer's Personally Identifiable Information (PII) sat in a dozen systems that nobody had formally catalogued. That's both a GDPR compliance failure and an operational risk.

Third-party processor notification is a separate obligation. Under GDPR Article 19, the controller must inform all processors of an erasure decision. That requires contracts with explicit erasure clauses and the ability to trigger them quickly.

Right to Erasure in regulatory context

The tension between erasure rights and financial crime obligations is real and well-documented. The European Data Protection Board addressed it directly in its published guidelines on the interaction between GDPR and AML rules: where a legal obligation under member-state or EU law requires data retention, the controller has no discretion to comply with an erasure request, even a valid one. The retention obligation simply overrides the privacy right.

In practice, most financial institution data falls under one of three retention regimes. First, Know Your Customer (KYC) and CDD records: the EU's AMLD4 and AMLD6 require these for five years after the end of a business relationship, and several member states have extended this to ten years. Second, transaction data: similar five-to-ten-year requirements apply across jurisdictions. Third, regulatory report records: SARs and STRs are exempt from erasure requests throughout their mandatory retention period, typically five years from filing.

The FCA's Handbook (SYSC 28) and the EBA's AML/CFT guidelines set out detailed retention schedules for UK and EU institutions. FinCEN's rules, codified at 31 CFR Part 1020, require US institutions to retain records for five years. The FATF Recommendations, specifically Recommendation 11, set the global baseline at five years from the end of a transaction or business relationship.

Where data falls outside regulated categories, the right to erasure is fully enforceable. Marketing data, behavioral scoring, and preference data collected beyond KYC requirements have no exemption. Institutions that retain this data longer than necessary, often because nobody has ever pruned the database, face real compliance exposure when erasure requests arrive.

The Audit Trail of the erasure process itself must be kept. You need documented evidence that you received the request, what decision you made, which legal basis you relied on, and what actions you took. The retention period for this documentation is typically five years. There's an inescapable irony here: processing an erasure request creates records that must themselves be retained.

Common challenges and how to address them

Data silos are the dominant operational problem. A typical mid-sized bank may run 20 to 40 separate systems holding customer data: core banking, loan origination, CRM, fraud detection, email archiving, call recording, document management, and more. Getting a complete picture of where one person's data lives requires a data inventory that many institutions have never formally built.

The fix is unglamorous: data mapping, record-type classification, and system-of-record designation. This is foundational work that can take six to twelve months for large institutions. GDPR's Article 30 Record of Processing Activities (ROPA) is the regulatory obligation that forces it, but it's frequently treated as a compliance checkbox rather than a living operational tool.

Backup media presents its own challenge. Deleting from live systems in 30 days is achievable for most institutions. Guaranteeing deletion from offline backups within the same window is often technically impossible. Supervisory authorities, including the ICO, have published guidance accepting this reality. The expectation is a documented retention schedule for backups and controls that prevent a backup restore from reintroducing data that was lawfully erased from live systems.

Third-party data sharing creates a cascade problem. If the bank has shared customer data with a marketing platform, a fraud analytics vendor, or a cloud infrastructure provider, erasure obligations must flow to those parties. Article 19 requires formal notification to all processors. That demands contractual erasure clauses and the operational infrastructure to act on them at scale.

The highest-risk failure mode is partial erasure: deletion from live systems but not from an archived data warehouse, a legacy reporting database, or a third-party copy. Regulators look for evidence of systematic processes, not just documented intent. A defensible erasure program requires evidence of completion across all systems, not a good-faith attempt in the primary database.

Related terms and concepts

Right to erasure sits within the broader framework of GDPR data subject rights. Article 15 provides the right of access, Article 16 the right to rectification, Article 20 the right to data portability, and Article 21 the right to object. Understanding which right applies in a given situation determines both the applicable response timeframe and which exemptions can be invoked.

Pseudonymization is the primary technical alternative to full erasure in regulated financial contexts. Replacing direct identifiers with tokens or reference codes means the institution retains transaction data for fraud modeling and regulatory purposes, but the data is no longer personal in a GDPR sense. Pseudonymization doesn't satisfy an erasure request on its own. It does, though, reduce the volume of genuinely personal data the institution holds, which in turn reduces erasure exposure for data categories that have no legal obligation exemption.

Data minimization under GDPR Article 5(1)(c) is the upstream control that makes erasure easier. If an institution only collects what it needs for a defined purpose, there's less non-regulated data to trace and delete when a request arrives. Institutions that applied minimization principles during onboarding design find erasure requests significantly more manageable than those that collected broadly and pruned nothing.

The California Consumer Privacy Act (CCPA) provides the closest US analog to the GDPR erasure right. Section 1798.105 grants California residents the right to request deletion, with exemptions for security, legal compliance, and fraud detection. The CCPA response window is 45 days, extendable to 90. Compliance teams operating across EU and US jurisdictions need separate intake and response workflows since the timeframes, exemption grounds, and scope differ materially.

Data residency requirements add a further layer of complexity in cross-border institutions. Customer data replicated across multiple jurisdictions may be subject to erasure obligations in one country and mandatory retention in another. This is particularly acute when the regulated retention period in country A exceeds the erasure right enforcement period in country B. Resolving this requires legal analysis specific to each jurisdiction's retention framework, not a single global policy.