Right to erasure vs right to restriction of processing: how do they differ and how does each affect my records?
The right to erasure and the right to restriction of processing are two distinct data-subject rights commonly found in modern privacy frameworks. They are easy to confuse because both respond to an individual’s request about their personal data, but they call for very different actions and have very different effects on your records.
Right to erasure
The right to erasure (sometimes called the “right to be forgotten”) asks an organization to delete an individual’s personal data. When the right applies, the goal is permanent removal of the records or the personal identifiers within them.
For records managers, this is consequential. Erasure must reach all copies, including backups, replicas, and archived versions, to the extent feasible. It also collides with retention obligations: where a law, regulation, or legal hold still requires you to keep the data, erasure generally does not apply until that requirement ends.
Right to restriction of processing
Restriction does not delete anything. Instead, it freezes the data: the organization keeps the records but limits what it does with them. The data is typically retained and secured, but not actively used, shared, or otherwise processed, except for narrow purposes such as resolving a dispute or meeting a legal obligation.
Restriction is often a temporary or interim measure, for example while a dispute over accuracy or the lawfulness of processing is being resolved.
How each affects your records
- Erasure: records are destroyed or de-identified. Document the disposition so you can show what was removed and why, consistent with your retention schedule and any disposition authority.
- Restriction: records are preserved but flagged and locked down. Apply controls or markings that prevent routine use, and keep an audit trail of the restriction and its scope.
Practical takeaways
Build both rights into your retention and disposition program rather than treating them as one-off exceptions. Track which records are under a legal hold or active retention requirement, since those usually pause erasure. Maintain clear logging so you can demonstrate that you honored the request and acted within the limits the law allows.
For related guidance, see the privacy and PII topic hub.
Sound recordkeeping principles, such as documented disposition and reliable metadata, make either right far easier to satisfy defensibly.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). Right to erasure vs right to restriction of processing: how do they differ and how does each affect my records?. Records Management University. https://www.recordsmgmt.org/questions/right-to-erasure-vs-right-to-restriction-of-processing/
MLA
RM University Editorial. "Right to erasure vs right to restriction of processing: how do they differ and how does each affect my records?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/right-to-erasure-vs-right-to-restriction-of-processing/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?