What is the most common mistake organizations make when responding to a request to delete someone's personal data?
When someone asks an organization to delete their personal data, the request feels simple: find the data, erase it, confirm it is gone. In practice, the most common mistake is treating deletion as an all-or-nothing action and acting on it too quickly, before checking whether the data is actually eligible to be deleted.
The Core Mistake: Deleting Without Checking Obligations
Organizations frequently delete personal data on request without first verifying whether a competing legal obligation requires them to keep it. A deletion (“erasure”) right is almost never absolute. Records subject to a retention requirement, an active investigation, an audit, litigation, or a legal hold generally must be preserved, even when the individual asks for removal.
Destroying data that is under a legal hold or a mandated retention period can expose the organization to spoliation claims, regulatory penalties, and loss of evidence. The correct first step is to pause and ask: Are we permitted to delete this, in full or in part?
Related Pitfalls
- Over-deletion. Erasing far more than the request covers, including records the organization is legally required to keep or that belong to other people.
- Missing copies. Deleting the primary record but overlooking backups, archives, logs, exports, third-party processors, and analytics systems where the same data persists.
- No verification of identity. Deleting data based on an unverified request, which can itself become a privacy breach.
- No documentation. Failing to record what was deleted, what was retained, and why. The decision trail is often as important as the deletion itself.
How to Handle It Correctly
A defensible deletion process treats the request as a controlled records action, not a quick fix:
- Verify the requester’s identity and confirm the scope of the request.
- Map where the personal data lives across all systems and copies.
- Check retention schedules, legal holds, and statutory obligations before acting.
- Delete what is eligible; suppress or restrict what must be retained, and explain the carve-out.
- Document the outcome and confirm completion to the requester.
Mapping data, weighing obligations, and recording decisions are core privacy and governance disciplines. For more on managing personal and sensitive information responsibly, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). What is the most common mistake organizations make when responding to a request to delete someone's personal data?. Records Management University. https://www.recordsmgmt.org/questions/most-common-mistake-handling-a-personal-data-deletion-request/
MLA
RM University Editorial. "What is the most common mistake organizations make when responding to a request to delete someone's personal data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/most-common-mistake-handling-a-personal-data-deletion-request/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?