How do I handle deletion requests securely?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Handling a deletion request securely means three things: verify who's asking, delete what needs to go, and document that you did it.
Step 1: Verify identity before doing anything. You need reasonable confidence the request is coming from the actual data subject, not someone trying to delete another person's account or data. For email marketing, the most common verification is a confirmation email sent to the address in question. if they can click the confirm link, they control the inbox. Match the level of verification to the sensitivity of the data. A newsletter unsubscribe needs less verification than a request to delete a full account with purchase history.
Step 2: Locate all data about them. For email, this means checking your ESP, CRM, advertising platforms (Facebook, Google), third-party enrichment services, and any analytics tools that hold individual-level data. A deletion request that only covers your ESP but misses your CRM is incomplete. Under GDPR, you're responsible for cascading deletion requests to data processors you've engaged.
Step 3: Delete appropriately. Delete personal data. Retain what you're legally required to keep (transaction records, tax data, suppression markers). Convert engagement history to anonymized aggregates where possible rather than deleting the aggregate data entirely.
Step 4: Document the request and your response. Record when you received it, how you verified identity, what was deleted, what was retained and why, and when the deletion was completed. This documentation protects you if the person escalates to a regulator later.
Step 5: Confirm to the requester. Let them know what was deleted and what wasn't (and why). You're not required to share a full audit trail with the requester, but confirming you've completed their request is good practice and expected under most frameworks.
For what specifically must be deleted for email contacts, see what data to delete. For the record-keeping obligations around these requests, see DSAR record-keeping.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.