GDPR-001 critical Right to Be Forgotten

Data deletion request mechanism

Users have the right to request deletion of their personal data. A mechanism must exist (self-service or documented request process) and internal handling procedures must be documented.

Question to ask

"Could a user delete their data right now, today?"

Verification guide

Severity: Critical

Users have the right to request deletion of their personal data. You need a mechanism to receive and process these requests.

Check automatically:

# Look for deletion-related endpoints or handlers
grep -riE "delete.*account|account.*delet|gdpr|right.*forgotten|erasure|remove.*user" src/ app/ lib/ routes/ controllers/ --include="*.ts" --include="*.js" --include="*.py"

# Look for documentation about deletion
grep -riE "deletion.*request|data.*deletion|right.*forgotten|gdpr.*request" docs/ README.md CLAUDE.md --include="*.md"

# Check for admin tooling for deletion
grep -riE "admin.*delete|delete.*user|purge.*user" src/ app/ --include="*.ts" --include="*.js"

Ask user:

  • "How do users request data deletion?" (self-service? email support@? contact form?)
  • "Is there a documented process for handling these requests?"
  • "Who handles deletion requests internally?"

Pass criteria:

  • User-facing mechanism exists (self-service endpoint OR documented email/form process)
  • Internal process documented (who handles, how to execute)

Fail criteria:

  • No mechanism ("we'd figure it out if someone asked")
  • Mechanism exists but undocumented (tribal knowledge)

Evidence to capture:

  • Deletion request mechanism (endpoint, email, form)
  • Location of process documentation
  • Who owns the process

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

LST-008

Auto-scaling triggers tested

 Next →

GDPR-002

Deletion request audit trail