How do I respond when a customer asks me to delete all their personal information?
A request to “delete all my personal information” feels straightforward, but it rarely is. Your job is to honor the person’s privacy interest while staying inside the law and your organization’s records obligations. Slow down and work through a structured process before deleting anything.
Start by Confirming the Request
First, verify the requester’s identity so you do not disclose or destroy data based on an impersonated request. Then clarify scope: do they mean a specific account, a single dataset, or every system that holds their information? People often want one thing fixed, not a wholesale purge. Document the request, the date received, and how you handled it.
Check Whether You Are Even Allowed to Delete
Deletion is not automatic. Before acting, confirm that no competing obligation requires you to keep the data:
- Records retention schedules. If the information is part of a record under an approved retention period, you generally cannot destroy it early.
- Legal holds and litigation. Active or reasonably anticipated litigation, audits, or investigations override deletion requests until the hold lifts.
- Statutory or contractual duties. Tax, employment, financial, and regulatory rules often mandate keeping certain data for set periods.
If any of these apply, you may need to deny or defer the deletion and explain why.
Know Which Privacy Rules Apply
Different frameworks grant different rights. A consumer privacy law, a sector regulation, or an internal policy may each define what “personal information” covers and when erasure is required versus optional. Apply the rule that actually governs the data in question rather than assuming a universal “right to be forgotten.” When unsure, route the request to your privacy officer or legal counsel.
Respond and Record
Give the requester a clear, timely answer: what you will delete, what you must retain and why, and the timeframe. Where you cannot delete, consider alternatives such as restricting use, de-identifying, or anonymizing the data. Finally, log the outcome so you can demonstrate accountability if asked later.
Building these steps into a repeatable workflow keeps you compliant and defensible. For more on managing sensitive data responsibly, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). How do I respond when a customer asks me to delete all their personal information?. Records Management University. https://www.recordsmgmt.org/questions/how-to-respond-to-customer-data-deletion-request/
MLA
RM University Editorial. "How do I respond when a customer asks me to delete all their personal information?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-respond-to-customer-data-deletion-request/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?