Why The Right To Be Forgotten Is Even Harder To Comply With Than You Think (And What To Do About It)

In today's data-driven world, businesses are constantly collecting information from their customers in order to provide a better product or service, understand and alleviate pain points along the acquisition journey, gain operational insights, and build more efficient processes. Data has become essential infrastructure for modern organizations. But the collection and use of personal data carries an ethical and legal responsibility that many businesses are only beginning to fully reckon with.

Global data protection regulations, like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), exist to protect individuals' rights to privacy. These regulations provide a legal framework that businesses must abide by when it comes to handling and storing their customers' personally identifiable information (PII). Failure to adhere to these regulations can result in significant fines, not to mention a serious blow to customer trust and brand reputation.

One major requirement across several of these data protection laws is the ability to comply with an individual's "right to be forgotten," also known as the right to erasure. This means that when a customer requests it, organizations are legally obligated to delete all of that individual's personal data from their systems. While this represents a meaningful protection for individuals worldwide, the operational reality for most businesses is that properly sanitizing a single person's data is immensely difficult to execute. Understanding why, and what to do about it, is essential for any organization that handles personal data at scale.

What Is the Right to Be Forgotten Under GDPR and CCPA?

The right to be forgotten is enshrined most prominently in Article 17 of the GDPR, which grants individuals in the European Union the right to request the deletion of their personal data under certain conditions. Similar provisions exist under the CCPA in California and in data protection laws across Canada, Brazil, and beyond.

The right applies when the data is no longer necessary for the purpose it was originally collected, when consent has been withdrawn, or when the data has been unlawfully processed. Once a valid request is received, organizations must act without undue delay. GDPR sets a one-month deadline for compliance, with limited extensions available for complex cases.

On paper, this sounds manageable. In practice, it requires organizations to have a complete, reliable map of every location where an individual's data lives across all systems, formats, and business units. Very few organizations have that map. And the absence of it creates serious compliance exposure.

Why Is Deleting an Individual's Personal Data So Technically Complex?

Complying with the right to be forgotten requires more than pressing a delete button on a user record in a primary database. It requires knowing where every piece of identifiable information about that person actually lives. That includes the obvious fields like name, email address, phone number, and date of birth, but it also includes less obvious data points that, when combined, can uniquely identify an individual, such as approximate location, religious affiliation, medical conditions, or employment history.

The challenge is that an individual's data rarely stays in one place. Over the course of a customer relationship, personal information can be collected through onboarding forms, recorded in customer service emails, captured in call center transcripts, embedded in documents, and replicated across multiple backend systems. Every time an employee shares customer data internally or externally without a proper tracking mechanism in place, another thread is added to an already tangled web.

Data management systems can be as complex to navigate from a regulatory standpoint as blockchains, which present novel challenges when it comes to right-to-erasure compliance. Without strict data governance protocols established from the beginning, organizations end up with blind spots across their infrastructure. A high-profile example of how this plays out at scale was documented when a leaked internal Facebook document revealed that the company struggled to track where user data actually went after it was collected, making deletion a near-impossible task.

The problem is compounded further when you factor in unstructured data. Unlike structured databases with clearly labeled fields, unstructured data like free-form text documents, PDFs, emails, call recordings, and DOCX files contain personal information embedded in natural language. This information is difficult to search, harder to attribute to a specific individual, and often overlooked entirely during deletion workflows. According to research from MIT Sloan Management Review, unstructured data makes up approximately 80% of an organization's total data, and that proportion is growing.

For organizations in highly regulated sectors like healthcare, financial services, and pharma and life sciences, the volume and sensitivity of unstructured data make right-to-erasure compliance particularly high-stakes. A single patient record might be referenced across clinical notes, intake forms, billing documents, and call center logs, all stored in separate systems and formats.

Why Tracking the Data Is Only Half the Problem

Even once an organization has found all the places where an individual's data lives, deletion alone is rarely sufficient to meet the requirements of the right to be forgotten. Many data protection regulations require that personal data not just be deleted, but that it be properly sanitized.

The International Data Sanitization Consortium defines data sanitization as the deliberate, permanent, and irreversible removal or destruction of data stored on a memory device to make it unrecoverable. Under this definition, simply marking a record as deleted in a database does not constitute sanitization. The data may still reside in its deallocated location on a disk and, while no longer accessible through normal retrieval methods, it can still be recovered by an attacker scanning deallocated memory. Regulations like HIPAA set the expectation that data be made genuinely unrecoverable, not simply hidden from view. The consortium also maintains a useful reference of data protection regulations and their specific sanitization requirements.

Another compounding factor is the practice of making backup copies of storage systems. Organizations routinely create backups for business continuity purposes, but each of those backups contains the personal data that existed at the time the snapshot was taken. Every time data is saved or replicated, it may be written to a new physical location. Complying with a deletion request means tracking down and sanitizing not just the primary record but every backup or replica in which that data may have been captured.

The available sanitization techniques, including physical destruction of hardware, cryptographic erasure, and data erasure protocols, are designed primarily for erasing entire disks when devices are repurposed or decommissioned. They are not built for selective, per-individual removal of data. This means that standard sanitization methods cannot simply be applied to a single user's records without potentially affecting other data stored alongside it. Organizations that rely solely on traditional sanitization approaches will find themselves without a practical tool for complying with the right to erasure at the individual level.

How Does the Right to Be Forgotten Apply Across Different Industries?

The right to be forgotten does not apply uniformly across all sectors. Industry context shapes both the volume of data that organizations hold about individuals and the regulatory frameworks that govern how that data must be managed.

In healthcare and life sciences, patient data is subject to HIPAA in the United States, as well as various international equivalents. A patient may have personal information spread across electronic health records, lab reports, billing systems, clinical trial documentation, and call center transcripts. Organizations providing healthcare data de-identification solutions must account for all of these surfaces when processing an erasure request.

In financial services, customers interact with institutions across loan applications, account statements, customer service channels, and fraud reports. Financial data is highly regulated, and the intersection of data retention requirements with erasure rights creates genuine compliance tension that organizations must navigate carefully.

Insurance companies face similar complexity. Policy documents, claims records, recorded calls, and underwriting notes all contain personal data, and all of them must be addressed during a valid deletion request.

Contact centers are a particularly overlooked source of personal data risk. Customer calls are typically recorded for quality assurance and training purposes, and those transcripts and recordings contain rich, unstructured personal data that is difficult to search and easy to forget about during deletion workflows.

What Can Organizations Do to Make Right-to-Erasure Compliance More Manageable?

The good news is that organizations are not powerless. There are concrete steps that can be taken to reduce the operational burden of right-to-erasure compliance, most of which require establishing better practices before a deletion request arrives rather than scrambling to respond after the fact.

The first step is establishing clear data governance processes. When storing specific personal data is necessary, organizations should build systems to track where that data is stored and who it is shared with from the moment of collection. One practical approach for managing storage device sanitization is to replace or erase an individual's data from a primary storage device A, transfer all remaining data to a secondary storage device B, and then fully sanitize storage device A using an approved data erasure method. This creates a cleaner separation between active data and data pending sanitization.

The second major lever is data minimization. A core requirement of GDPR under Article 5 is that personal data collected must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." In plain terms, the less personal data an organization collects and retains, the less there is to find and delete when an erasure request is received.

The third, and arguably most scalable, approach is automated de-identification at the point of data ingestion. Rather than trying to retroactively locate and erase personal data scattered across years of unstructured documents and records, organizations can proactively strip or replace identifying information before it ever reaches long-term storage. This is where tools purpose-built for data de-identification become operationally essential.

Limina's data de-identification platform is built by linguists, which means it is context-aware and capable of understanding the nuances of language and entity relationships within documents, not just surface-level pattern matching. This distinction matters enormously when dealing with unstructured data, where a person's identity may be inferred from indirect references rather than explicit name-and-address fields.

If your organization is managing personal data at scale and working through the operational realities of right-to-erasure compliance, contact Limina to see how automated de-identification can simplify your approach.

The Relationship Between De-identification and the Right to Be Forgotten

De-identification is not a replacement for a formal deletion workflow, but it significantly reduces the scope of what needs to be deleted. When personal data is de-identified before being stored or used in secondary analytics, the resulting dataset no longer carries the same regulatory weight. Information that cannot be traced back to a specific individual falls outside the scope of most right-to-erasure obligations, which means the universe of data subject to deletion requests shrinks considerably.

This is especially relevant for organizations that want to derive value from historical data for training models, running analytics, or understanding product usage patterns. The goal is not to prevent that analysis from happening. The goal is to ensure that it happens using data that no longer exposes individuals to privacy risk.

Properly implemented de-identification, applied consistently and systematically at the point of ingestion, transforms the right to be forgotten from a reactive firefighting exercise into a manageable compliance process. The key word is systematically. Ad-hoc or manual de-identification creates the same gaps and inconsistencies as any other undocumented process. Organizations that want durable compliance need solutions that operate at scale, across all data formats, with the linguistic intelligence to recognize personal information in the way it actually appears in real-world documents.

Limina's data de-identification platform processes over 70,000 words per second, identifies more than 50 entity types, and supports more than 52 languages, making it one of the most capable automated de-identification solutions available for organizations operating across complex, multilingual environments.

Ready to simplify how your organization handles personal data compliance? Get in touch with the Limina team today.