How do I delete customer data?

You’ve set up all your data and privacy policies, but actually putting them into practice is a different story. Managing customer data or a customer profile doesn’t have to be hard, there are simple ways to handle GDPR customer removal requests. Here I’ll outline what to do in two sections: before and after a customer requests that their data be deleted.

1. Before the customer requests to have their information deleted

In this first section, I’ll go through GDPR data deletion requirements, request for erasure, and what process should be put in place to help support both the customer’s deletion request and your team to clarify who is responsible for what action.

GDPR requires you to ensure that an individual’s customer detail is erased. This means deleting their information from any customer list your team has or will use. This means that in both your privacy and cookie policy, there is a way for a customer to contact and action their right to be forgotten. A customer can also request through other communication channels like customer support chat.

Establishing internal processes and resources helps to smooth this process. It also helps to differentiate where you are within your legal rights to hold customer information. An example of this is in financial institutions where customer application information may be held to help prevent irresponsible lending.

Who is responsible for setting this up?

These should be created by the company’s Data Protection Officer (DPO), but is ultimately the responsibility of the whole team. The DPO should regularly review these practices to make sure that the team is acting in a compliant manner.

Don’t worry, I’m not just palming this off to the DPO. An easy resource to create is a simple checklist using how customer information is used and tracked from your privacy and cookie policy. See the example format below:

Source:Reason for trackingHow to delete?Does a third party need to be informed?Internal responsibility of?

Why use a checklist?

This means you have a clear list of the data sources, if and where customer information or a customer profile is held, and who in the company has the access to delete this information.

It’s easy to think of sources like a mailing list where a customer’s email address is kept, but do not forget broader areas where customer information may have been stored, including folders on people’s laptops, an inactive customer list, incident reporting channels, or backup storage systems like Google Cloud Storage. Anywhere their customer detail can be identified will need to be added to this list.

What data is ok to keep under GDPR, CCPA and other data regulation?

When dealing with a request for erasure, the deletion request does not have to include anonymised data e.g. tracking product trends on how many people who came through Facebook bought a XXX product.

Traffic data that is not connected to a person’s identity is fine to keep.

Agreed timelines

EU-GDPR & UK-GDPR states that requests, such as a request to delete data must be completed without undue delay. Specifically it allows for one month.

If the customer request involves more investigation outside of the process that your DPO set up, you should keep track of why and outline to your customer the delay providing it does jeopardise your investigation.

We recommend frequently testing your data deletion processes, by asking a member of the team go through your process using a dummy account.  

For more information about timelines, click here.

2. After the customer has made their data deletion request

This is where you will be able to test you have rigorous data deletion practices.

External practices 

Most customer complaints about data removal happen due to the lack of communication from the company. 

Right from the customer’s request, acknowledge that the request was received and inform them that you will only contact them regarding this request.

Immediately unsubscribe their email address or other customer communication lists.

After the team completes the request, you should confirm the deletion with the customer, noting that this will be the last communication and that should they try to access your services again, they will need to re-opt in.

Internal practices 

First of all, you need to log the request.

If your DPO has set up ways in which you flag active customer requests e.g. email address or a #data-deletion Slack channel, you will need to note it there.

You will then go through the processes set up by your DPO. If customer data, a customer profile, or a customer list is needed to be kept due to legal reasons, this information should be logged.

Keeping this information recorded will be an important part of the auditing process. It will be part of proving you fulfilled all the actions necessary to completely remove customer data from your system.

Your DPO should review the practices on a regular basis, any concerns in the team should be flagged to the DPO in a timely manner. The whole team is responsible and should be supported by training. This is a legal requirement.

Remember that all those who handle data are required by law to have yearly training.
See more about how you can get training here.

Want to know more about the timelines on customer data? Click here.