When to Complete Data Deletion Requests: Timing Is Everything
After explaining how to respond to data requests, it’s time to discuss the specifics. The right to be forgotten is one of the common pillars of data privacy regulations like the GDPR, and understanding every aspect of this right is critical for several reasons.
Companies that wish to avoid heavy fines or bad publicity must pay close attention to every detail of the law, including the time frame for responses and completion of the right to erasure under regulations like the GDPR and CCPA. Here’s how to remain compliant and fulfill data deletion requests on time.
What is the "right to be forgotten"?
The right to be forgotten, also called the right to erasure, can be found in Article 17 of the GDPR, which states that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” The GDPR determined specific terms under which the deletion must be conducted, such as information that is no longer necessary, withdrawal of consent, no legitimate grounds for data processing, and more.
The CCPA offers similar demands, stating that “A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”
When a deletion request is submitted, all the relevant information gathered on this individual must be deleted from the company’s public or internal databases and backup systems. Deletion requests are pretty popular, and 62% of requests filed under privacy laws are based on the right to erasure.
Deletion time frames according to the GDPR and CCPA
The GDPR's one-month time limit appears in Article 12, which states that an organization’s data controller must respond “Without undue delay and in any event within one month of receipt of the request.” When requests are particularly complex or when one data subject files multiple requests, this period may be extended by two months under the GDPR delete data time frame.
As for the CCPA, the law grants companies 45 days to respond and fulfill the erasure request, which can be extended by another 45 days if the request in question is complex or due to the volume of submissions. In such cases, the organization is obligated to inform the data subject within 45 days. If the organization does not intend to delete the information at all (there are nine different exemptions, which we’ll discuss in a separate article), the company must communicate this notion without delay and include ways to appeal the decision.
Erasure time frames under other laws
GDPR deletion request time limits no longer apply in the post-Brexit UK, and the relevant law is currently the Data Protection Law, which draws plenty of inspiration from the original European regulation. We can spot the resemblance in the case of erasure requests response time, which includes one month and an extension of two additional months for complex or multiple requests. The ICO recently clarified that the countdown begins when the request is received.
The VCDPA law that recently passed in Virginia gives local residents data privacy rights that are similar to those under the CCPA. The right to have one’s information deleted demands that organizations act within a reasonable period and respond to requests of different types within 45 days. Companies can ask for an extension of the same length and notify consumers within the initial response time frame.
The challenge of meeting the right to erasure time limits
While the above time erasure requirements seem pretty straightforward, they pose various challenges that companies often struggle to overcome. Research finds that the most difficult CCPA demand for organizations was mapping all the relevant data. Fulfilling the right to erasure is a close second. Another survey found that less than half of companies respond to GDPR data privacy requests on time, and more than 20% failed to cover all the relevant information.
This GDPR time to delete data shows that companies find it hard to follow the rules. They struggle to ensure that the information is removed from every database run by the company, and many are still figuring out the latest regulation and how it impacts their daily conduct. We can see improvement in that area, as 2018 data around the same topic produced far worse results, with 70% of companies failing to meet all the requirements. Still, there’s plenty of room for improvement.
Improving companies’ ability to respond to erasure requests on time
Companies need technology solutions that make it easier for them to integrate all relevant data sources and efficiently manage data privacy requests at scale. When we enhance transparency and brand trust with technologies like Mine PrivacyOps, what was once an overwhelming mission becomes a streamlined, simple process. Want to watch this data ownership technology in action? Sign up for free and discover a privacy solution you’ll never want to delete.