Quick Hits
- EDPB’s 2025 Enforcement Focus: The CEF will prioritize enforcement of the right to erasure under Article 17 of the GDPR and involve coordination among thirty-two DPAs across Europe.
- Increased Scrutiny of Compliance: Organizations may face increased information requests, investigations, and follow-up actions to evaluate their erasure practices and identify compliance gaps.
- Preparing for Enforcement: Organizations will likely want to review and refine their erasure request processes to ensure timely responses, proper application of exceptions, and effective data deletion across all systems, including backup systems, and also review their broader GDPR compliance framework to mitigate possible risk in the event of a broader request for information.
The right to erasure is one of the most frequently exercised rights under the GDPR. However, it is also a common source of complaints to DPAs and, when exercised in conjunction with other rights, such as the right to portability, is one of the more visible areas of GDPR noncompliance. The 2025 CEF action involves thirty-two DPAs across the European Economic Area that will begin contacting organizations directly to engage in formal and informal activities aimed at evaluating how the organizations handle and respond to erasure requests. A particular focus of the CEF action will be:
- assessing organizational compliance with the conditions and exceptions outlined in Article 17 of the GDPR;
- identifying gaps in the processes used by data controllers to manage data subject requests to erase; and
- promoting best practices for organizations’ handling of such requests.
Organizations across various sectors can expect increased scrutiny from DPAs. This may include simple information requests from DPAs to evaluate their current erasure practices and procedures, but will also, in some circumstances, result in formal investigations and regulatory follow-up actions. Because this is a coordinated, pan-European enforcement focus, organizations can expect more targeted follow-ups both nationally and internationally as the year progresses.
Organizations can prepare for the heightened attention due to be paid to their erasure request handling processes by taking proactive steps to ensure that their data management practices align with GDPR requirements, particularly regarding:
- timely and accurate responses to erasure requests (i.e., within one month of the request);
- accurate application of exceptions, such as when data retention is necessary for legal compliance, or tasks carried out in the public interest or in the exercise of official authority;
- appropriate notification of erasure requests to other organizations where relevant personal data has been disclosed or made public;
- comprehensive processes to effectively erase data, such as erasure of personal data on backup systems in addition to live systems; and
- transparent communication with individuals who submit requests for erasure about their rights and the outcomes of their requests.
Organizations may also want to review their broader GDPR compliance frameworks, as a pulled thread on a single identified non-compliance issue could unravel further areas of scrutiny and potentially trigger a larger and broader investigation into the business’s compliance posture on the whole.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.
Benjamin W. Perry is a shareholder in Ogletree Deakins’ Nashville office and co-chair of the firm’s Cybersecurity and Privacy Practice Group.
Justin T. Tarka is a partner in Ogletree Deakins’ London office.
Lauren N. Watson is an associate in Ogletree Deakins’ Raleigh office.
Lorraine Matthews, a data privacy and cybersecurity practice assistant in Ogletree Deakins’ London office, contributed to this article.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts