GDPR-003 critical Right to Be Forgotten

Deletion timelines defined

GDPR requires response within one month. Define and communicate timelines, track requests against deadlines.

Question to ask

"Deletion request arrives today — when is it done?"

Verification guide

Severity: Critical

GDPR Article 17 requires response "without undue delay" and within one month. You need defined timelines and tracking.

Check automatically:

# Look for timeline/SLA documentation
grep -riE "30.*day|one.*month|deletion.*timeline|response.*time|sla.*delet" docs/ README.md CLAUDE.md --include="*.md"

# Check for automated reminders or deadline tracking
grep -riE "deadline|due.*date|sla|remind.*delet" src/ app/ --include="*.ts" --include="*.js" --include="*.py"

Ask user:

  • "What's your committed timeline for completing deletion requests?"
  • "Is this documented anywhere users can see? (privacy policy, terms)"
  • "Do you track against this timeline? (alerts if approaching deadline)"

Legal context: GDPR requires response within one month. Can extend by two months for complex requests but must notify user within first month.

Pass criteria:

  • Timeline defined (typically 30 days, max 90 for complex cases)
  • Timeline communicated to users (privacy policy or confirmation email)
  • Internal tracking to meet deadlines

Fail criteria:

  • No defined timeline ("we get to it when we can")
  • Timeline exists but not tracked
  • Regularly exceeds GDPR limits

Evidence to capture:

  • Defined timeline (days)
  • Where timeline is documented (internal + user-facing)
  • Tracking mechanism for deadlines

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

GDPR-002

Deletion request audit trail

 Next →

GDPR-004

Cross-service data deletion