The right to erasure or the “right to be forgotten,” has always been one of the most visible rights under GDPR. But a major new report from the European Data Protection Board (EDPB) suggests that while organisations understand the concept, many are still struggling to implement it effectively in practice.

After a year-long coordinated enforcement, regulators note that compliance with this right is inconsistent, and often inadequate. The EDPB’s overall assessment is that compliance across organisations is marked by procedural gaps, unclear retention practices, and technical limitations.

For organisations processing EU personal data, the report indicates that the right to erasure is now in regulators’ enforcement sights.

A Europe-wide compliance check

The findings stem from the EDPB’s 2025 Coordinated Enforcement Framework (CEF) action, a pan-European initiative designed to align enforcement priorities among data protection authorities.

Across the EU and EEA:

• 32 supervisory authorities participated in the initiative
  
• 764 organisations were examined, ranging from SMEs to large multinationals and public bodies
  
• 9 authorities launched formal investigations, while 23 conducted fact-finding exercises

The exercise aimed to understand how organisations actually handle deletion requests under GDPR, including how they assess legal exceptions and operationalise deletion across systems. This focus reflects the fact that erasure is one of the most frequently exercised GDPR rights, and complaint numbers are rising across Europe. Regulators want to see how organisations respond.

The compliance gaps 

While the EDPB report recognises examples of good practice, especially in larger private-sector organisations, it identifies seven recurring weaknesses that cut across industries and organisation sizes.

The most striking finding is that many organisations deal with erasure requests reactively rather than systematically. Instead of building structured deletion processes into their governance frameworks and IT systems, organisations often rely on manual workarounds when requests arise.

One of the most common problems is the absence of clear internal procedures. Seventeen supervisory authorities reported organisations lacking documented workflows for handling erasure requests, or relying on informal processes that are only reviewed after problems arise. Larger organisations were more likely to maintain structured procedures, while smaller entities often lacked basic documentation altogether.

Training also remains a significant weakness. Roughly one in five organisations provides no regular refresher training on data protection. This creates practical risks. Staff may fail to recognise that a request constitutes a legal erasure request, or they may misunderstand how to apply legal exceptions. In environments where requests can arrive through customer service channels, email correspondence, or social media, inadequate staff awareness can easily result in missed deadlines or inconsistent responses.

Another issue regulators observed repeatedly is a lack of communication with individuals. Many organisations fail to clearly explain how individuals can submit deletion requests or under what conditions the right applies. Some privacy notices also omit information about what happens when a request is refused or fail to explain individuals’ rights to lodge complaints with supervisory authorities. These gaps often trigger complaints even when organisations ultimately comply with the request.

Confusion around legal exceptions

The report also highlights widespread confusion regarding the exceptions to the right to erasure. GDPR does not provide an absolute right to deletion. Organisations may retain personal data in certain circumstances, such as if retention is necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

But regulators found that organisations often misapply these exceptions. In some cases, companies treated legal obligations as automatically overriding erasure requests without examining whether the specific data needed to be retained. In others, organisations relied on “legitimate interests” without carrying out the required balancing test or documenting the reasoning behind their decision.

The EDPB emphasises that such decisions must be made case by case and supported by documented assessments. Without clear documentation, organisations may struggle to justify their decisions during regulatory investigations.

Retention management is still a challenge

Another recurring issue relates to data retention governance. Many organisations struggle to define clear retention periods across different processing activities. In some cases, organisations simply apply the longest legally required retention period to all datasets, even when different categories of data should be deleted earlier.

This often stems from legacy IT systems or fragmented data management practices. But from a regulatory perspective, the approach directly conflicts with the GDPR principles of data minimisation and storage limitation. Also, organisations frequently fail to communicate retention periods clearly in their privacy notices, leaving individuals uncertain about how long their data will be stored.

The technical challenge of deleting data in backups

Perhaps the most technically complex issue identified by regulators concerns data stored in backups. Half of the participating supervisory authorities reported that organisations lack clear procedures for deleting personal data from backup systems. In some cases, deleted data can be unintentionally restored when systems are recovered, effectively reversing earlier erasure decisions.

This issue is particularly significant because many organisations treat backup environments as outside the scope of their deletion obligations. Regulators are increasingly rejecting that assumption.

Supervisory authorities have now asked the EDPB to issue additional guidance on backup deletion, an indication that this area is likely to become an enforcement priority.

Anonymisation is an emerging compliance risk

Some organisations attempt to address erasure requests by anonymising personal data instead of deleting it. While this approach can be valid under certain circumstances, the EDPB report highlights that many organisations rely on techniques that do not truly anonymise the data.

In practice, the methods used often amount to pseudonymisation, meaning that individuals could still potentially be re-identified. This issue has gained further attention following the decision in EDPS v SRB before the Court of Justice of the EU. The ruling has prompted regulators to examine more closely what constitutes genuine anonymisation.

The EDPB is now developing new guidance on anonymisation, which is expected to clarify the legal standard organisations must meet when using anonymisation as an alternative to deletion.

Do organisations know where their data is?

Beyond the seven operational issues, regulators highlighted two structural weaknesses that frequently undermine erasure compliance. First, many organisations lack systematic data classification. Without accurate data inventories and mapping, organisations may not know where personal data resides across their systems. This makes it difficult to ensure that deletion requests are carried out completely.

Second, many organisations lack automated deletion mechanisms within their IT infrastructure. Instead of using automated retention schedules and deletion labels, organisations often rely on manual processes. As data volumes grow, this approach becomes increasingly unsustainable.

These structural problems create a situation where organisations can respond to individual requests but struggle to maintain consistent deletion practices across the organisation.

Enforcement pressure is increasing

The EDPB report signals where enforcement is heading. Several supervisory authorities have already indicated that the findings will inform sector-specific inspections and supervisory activities in 2026. Formal investigations launched during the coordinated action remain ongoing in multiple countries, including Ireland, France, Portugal, Slovenia, and Germany. This creates a clear risk environment for organisations of increasing complaints from individuals combined with more proactive regulatory scrutiny.

What should organisations do now?

Organisations should treat erasure compliance as a strategic governance issue rather than a narrow legal requirement. Several practical steps can help strengthen compliance:

• Conduct a GDPR Article 17 gap analysis. Review existing procedures, technical deletion capabilities, and documentation practices.
  
• Establish documented workflows. Define clear internal processes for intake, verification, decision-making, and response.
  
• Strengthen staff training. Ensure frontline teams can recognise erasure requests and escalate them appropriately.
  
• Review retention schedules. Align retention periods with legal requirements and ensure they are clearly communicated in privacy notices.
  
• Assess technical deletion capabilities. Work with IT teams to ensure data can be deleted across systems including backup environments.
  
• Validate anonymisation methods. Ensure any anonymisation techniques genuinely eliminate re-identification risks.

A proactive review now can significantly reduce the risk of complaints, investigations, and enforcement actions later.

More scrutiny of data subject rights

The right to erasure enforcement action is part of a broader regulatory strategy. The EDPB has already confirmed that the 2026 Coordinated Enforcement Framework action will focus on transparency and information obligations under the GDPR.

Taken together with previous coordinated actions on cloud services, data protection officers, and the right of access, it’s clear that European regulators are examining how organisations implement data subject rights in practice. It’s also evident that compliance cannot rely on policies alone. It requires operational processes, trained staff, and technical systems that enable rights to be exercised effectively.

Vinciworks’ new conversational learning course on data protection’s rights and responsibilities puts you at the heart of data protection, turning policy into practical action. Guided by AI-powered experts, it explores how personal data should be handled, shared and stored through realistic workplace scenarios. Try it here.