How to Submit a UK GDPR Erasure Request to a Data Broker That Actually Works
If your first instinct when finding your personal data on a broker site is to click the opt-out button and consider it done, you are setting yourself up for frustration.
Not because the right does not exist. It does. Article 17 UK GDPR gives you the right to request erasure. Brokers have one month to respond. The ICO provides template letters.
The failure mode is treating a single request as a permanent solution to a structural problem. The data broker machine runs on upstream sources that keep publishing. Until those sources are fixed, the downstream broker database will keep refreshing.
This guide covers the process that produces actual results.
The Right Sequence
The instinct when you find your data on a broker site is to go straight to deletion. Resist it. Submit a subject access request first.
A subject access request under Article 15 UK GDPR asks the organisation to tell you what personal data it holds, the purposes for which it is processed, the legal basis, the sources, and the recipients. That information is genuinely useful before you request erasure for two reasons.
First, you learn exactly what is held. This lets you identify data that is incorrect, outdated, or disproportionate, all of which strengthen your erasure grounds.
Second, a broker that does not respond to a SAR within one month is non-compliant regardless of the merits of any subsequent erasure request. That creates a complaint record even before you reach the erasure stage.
Allow the SAR period to run before submitting the erasure request. In practice, submit the SAR, wait for the response or the deadline, then follow with the erasure request.
Writing the Erasure Request
Vague requests get vague responses. A request that cites the specific legal basis for erasure, names the data category, and explains the grounds is harder to refuse without proper justification.
The ICO’s template letter for the right to erasure is the starting point. Adapt it to include:
- The specific data you want removed, by category
- The specific grounds for erasure under Article 17 UK GDPR that you are relying on
- A statement that you object to processing under Article 21 UK GDPR on grounds relating to your particular situation, if you are relying on the objection right
- A request to confirm deletion and to identify any third parties to whom the data was disclosed before deletion
- The date by which you require a response, one calendar month from the date of submission
The grounds most relevant for a UK SMB director include: the data is no longer necessary for the purposes for which it was collected, the processing relies on legitimate interests and you object to it, and the processing was unlawful. Where a director’s home address has been combined with business data to create a profile used for commercial purposes, the necessity and balancing arguments are worth making explicitly.
Submission and Documentation
How you submit matters for the record.
Where the broker provides an online removal form, complete it and take a screenshot showing the completed form, the confirmation message, and the date and time. Note the method of submission in your tracking record.
Where email is the submission route, use a subject line that identifies the request clearly: “Article 17 UK GDPR: Right to Erasure Request” followed by your name. Send from an email address you can document. Keep the sent copy.
Where a postal address is provided as the only route, use recorded delivery. Keep the proof of postage.
Start a tracking spreadsheet with these fields: Broker name, SAR sent date, SAR deadline (one month), SAR response received, Erasure request sent date, Erasure deadline (one month from submission), Method of submission, Submission evidence reference (screenshot filename), Erasure response received, Outcome, Data still present on date checked, Next recheck date.
The Calendar Reminder
Set a calendar reminder for day 28, not day 30, and not day 31.
The legal deadline is one calendar month. Setting the reminder two to three days before the deadline gives you time to send a chaser if no response has arrived, and to document the chaser before the deadline passes. If the broker then fails to respond within the original deadline, you have a documented record of the request, the deadline, the chaser, and the non-response.
That documentation is the foundation of an ICO complaint.
Handling the Response
Responses fall into four categories.
Confirmation of deletion: confirm the deletion with a screenshot or saved email. Set the recheck date in your tracking record for 90 days from deletion confirmation.
Partial deletion or suppression: note the distinction. Suppression means the data is hidden from public display but not deleted. That may not satisfy Article 17, depending on the circumstances. Ask the broker to confirm whether the data has been deleted from its systems or only suppressed from public display.
Refusal with stated grounds: read the grounds carefully. A refusal must explain why the legitimate interests or legal obligation it relies on override your erasure right. If the explanation is inadequate, that is grounds for an ICO complaint.
No response: if the deadline passes without a response, that is non-compliance. Send a final chaser referencing the original request date, the legal deadline, and your intention to complain to the ICO. Then complain.
When Data Reappears
Data reappearance after confirmed deletion is not unusual. Brokers refresh their databases from upstream sources. If the upstream source, Companies House, the open electoral register, a marketing list, is still publishing your data, the broker’s next database cycle may republish you.
When reappearance happens, treat it as a new request. Document the reappearance with screenshots. Note the date of the previous deletion. Submit a fresh erasure request referencing the previous removal and the reappearance. Include the evidence.
A broker that repeatedly publishes data after confirmed erasure requests has a systemic compliance problem. Document the pattern. That pattern, submitted to the ICO as a complaint, is more valuable as policy evidence than a single isolated request.
The Identity Verification Trap
Many brokers will ask for identity verification before processing an erasure request. A reasonable request for identity verification is legitimate under UK GDPR where the broker genuinely cannot identify the person from the request alone.
An excessive request for identity documents, particularly for a deletion request from a public-facing people-search site where the data was visible without any identity check, is worth pushing back on. Ask the broker to explain specifically what identity evidence is needed and why that level of evidence is required for this type of request.
Where identity verification is required, provide the minimum necessary. Redact non-essential information from any document. Use secure submission. Keep a copy of what you provided.
Do not send your passport scan to a web form you found through a search engine without considering the risk of that process as well as the benefit.
Building the ICO Complaint Record
An ICO complaint is most effective when it is documented, specific, and not the first time you have raised the issue with the broker.
The complaint should include: the date the erasure request was submitted, the evidence of submission, the legal deadline, what response was received and when, what outcome occurred, and why that outcome does not comply with Article 17 UK GDPR.
Where a broker has missed the one-month deadline, note the exact number of days elapsed. Where data reappeared after deletion, attach the deletion confirmation and the reappearance evidence. Where a refusal was inadequate, identify specifically why the grounds given do not satisfy the legal standard.
One documented complaint reaching the ICO is a complaint. A pattern of documented complaints about the same broker, or about systematic reappearance, becomes an enforcement signal.
How to Turn This Into a Competitive Advantage
For MSPs and advisers, the ability to walk a client through this process and manage it on their behalf is a service most competitors have not developed. Director data management, including systematic erasure request tracking and ICO complaint records, is a recurring engagement with measurable outcomes.
For business owners, a documented record of active data rights management demonstrates governance maturity in supply chain security conversations. Being able to show that you actively manage director exposure, and that you know how to use UK GDPR rights to do so, is a differentiated capability.
How to Sell This to Your Board
The argument for board-level approval of this process is simple.
Director data in broker databases contributes to the attack surface that enables impersonation fraud and social engineering. The remedy is free, available under UK law, and requires an afternoon of setup followed by a recurring maintenance task every 90 days. The financial cost is zero. The risk reduction is documented and measurable.
Assign ownership. Set a completion date for the initial round of requests. Set a review date at 90 days. That is a governance action, not an IT project.
What to Do This Week
- Submit subject access requests to the top five broker sites that appear in search results for your directors.
- Set calendar reminders for the one-month SAR deadline and day 28 follow-up for each.
- Download the ICO’s erasure request template letter and adapt it for your specific situation.
- Create your tracking spreadsheet with the fields listed in this guide.
- When SAR responses arrive, review the data held and submit your erasure requests within the same week.