THE BOTTOM LINE
- Policy Update Required: From 31 March 2026, companies must update their UK GDPR ‘right to erasure’ policies to include a new, specific ground for deleting personal data.
- Targeted Erasure Right: This change gives victims of stalking and harassment the right to demand the erasure of their personal data when it has been processed due to an unfounded allegation made by their perpetrator.
- New Compliance Burden: Your teams will need a clear process to verify erasure requests, including confirming the accuser’s legal status (e.g., a conviction for stalking) and the outcome of your internal investigation into their allegation.
THE DETAILS
A new regulation has brought a critical section of the Victims and Prisoners Act 2024 into force, directly amending the UK GDPR‘s right to erasure (Article 17). Effective from 31 March 2026, this change introduces a specific and powerful new tool for individuals to control their personal data. It is designed to protect victims from the ongoing harm caused by malicious and unfounded allegations. For businesses, this means a new category of erasure request that your data protection officers and legal teams must be prepared to handle correctly.
The amendment adds a new trigger for the right to be forgotten. An individual (the data subject) can now request the deletion of their personal data if it was processed as a result of an allegation that meets three specific criteria. First, the allegation must have been investigated by the data controller (your company) and resulted in a decision of no further action. Second, the allegation must have been made by a malicious person. The law is very precise here: a malicious person is defined as someone who has been convicted of stalking or harassment against the data subject, or is subject to a stalking protection order in relation to them.
For CEOs and in-house counsel, the operational implications are significant. When such a request is received, your organisation must have a procedure to validate it. This will involve not only reviewing your own records to confirm an allegation was investigated and dismissed, but also potentially verifying the legal status of the person who made the allegation. This new right is not absolute and will not override legal obligations to retain data, but it creates a strong presumption in favour of erasure in these specific circumstances. Proactive steps, including updating internal policies and training staff who handle data subject requests, are essential to ensure compliance and avoid regulatory scrutiny.
SOURCE
Source: UK Statutory Instruments
