The European Data Protection Board (EDPB) has launched a Coordinated Enforcement Framework for 2025 focusing on GDPR’s right to be forgotten / right to erasure. This means Data Protection Authorities (DPAs) across Europe will run investigations and assess how organisations handle data deletion requests—and whether they comply with legal requirements. protection authorities across the EU will participate in formal investigations or launch fact-finding probes into entities across various economic sectors.
If you’re struggling to prove that your processes are robust, now is the time to act. Based on past investigations, here are five common issues organisations face when fulfilling erasure requests:
1. Multiple intake channels not in sync with the Register of DSRs
Customers can request data deletion through various channels—email, customer support forms, app interfaces, and online chat—but without a centralised register, it’s nearly impossible to ensure that all requests are properly tracked and fulfilled. If you can’t demonstrate a reliable source of truth, your organisation is at risk of non-compliance when DPAs request evidence.
2. Handing over the DSR process to Customer Support teams
Customer support teams are often the first to receive deletion requests, but without the right tools and training, they may struggle to handle them correctly. A lack of clear workflows and centralised tracking can lead to missed or improperly processed requests, increasing compliance risks.
3. Manual erasure of data leads to human error and non-compliance
Manually deleting data across multiple systems is time-consuming and error-prone. Inconsistent deletions or overlooked records can lead to situations where customer data remains accessible when it shouldn’t be. This not only violates GDPR obligations but can also expose your organisation to enforcement actions and fines.
4. Failing to update processes as IT and Application landscapes evolve
Organisations frequently update or onboard new systems, but failing to integrate them into data deletion processes can lead to compliance gaps. If a newly implemented system is not accounted for in erasure workflows, personal data may inadvertently remain accessible, making it difficult to demonstrate compliance during a DPA investigation.
5. Misalignment with RoPA and Data Mapping
Your Record of Processing Activities (RoPA) and data map should be closely aligned with your deletion processes. If these foundational documents don’t accurately reflect how personal data is processed and erased, it can create inconsistencies that make compliance audits more challenging.
How TrustWorks can help you stay ahead of DPA investigations
At TrustWorks, we help organisations take control of their data subject rights (DSR) processes, ensuring they are audit-ready and compliant with GDPR’s right to erasure. Our platform provides:
- A centralised DSR Management System to track and fulfil deletion requests across all intake channels.
- Automated erasure workflows to reduce reliance on manual processes and eliminate human error.
- Continuous monitoring & updates to ensure your compliance program adapts to evolving IT landscapes.
- Seamless RoPA & Data Map integration so that your data inventory remains aligned with DSR fulfilment processes.
With the EDPB’s enforcement action underway, organisations need to act fast to ensure they can demonstrate compliance.
Reach out to me to request a free assessment to see if your organisation is ready for a DPA probe!
