Skip to main content

GDPR Data Erasure

The One CRM provides a structured workflow for handling GDPR right-to-erasure requests and right-of-access data exports.

Right to Erasure Request Workflow

When an individual requests deletion of their personal data:

  1. Receive the request — Typically via email or your privacy contact
  2. Locate the contact in CRM by searching for their name or email
  3. Open the contact record and click Actions > GDPR Erasure
  4. CRM shows a preview of all data that will be deleted and data that will be retained
  5. Confirm the erasure — This action is irreversible
  6. CRM processes the erasure and generates a certificate

What Data Is Deleted

When erasure is executed, CRM removes:

Data TypeAction
Contact recordName, email, phone, address, job title — all personal fields deleted
Activity logEmails, calls, meetings, notes associated with the contact
Email historyAll sent/received emails linked to this contact
Sequence enrollmentsActive sequences are terminated, enrollment history removed
Form submissionsLead capture form data submitted by this contact
NotesAll notes on the contact record
Custom field dataAny custom field values

What Data Is Retained

Certain data is retained for legal and financial compliance:

Data TypeReason
Invoices in BooksFinancial records required for tax and audit compliance
Audit log entriesCompliance requirement — entries are anonymized (personal details removed, action logged)
Won/lost deal recordsFinancial reporting — contact reference is removed but deal value and outcome remain
Suppression list entryThe email address is retained on the suppression list to prevent future contact (GDPR permits this)
⚠️Erasure is permanent and cannot be undone. Review the preview carefully before confirming. If the contact has linked invoices in Books, the erasure will proceed but those financial records are preserved as required by law.

Erasure Certificate

After erasure completes, CRM generates a certificate that includes:

  • Date and time of erasure
  • Categories of data deleted
  • Categories of data retained and the legal basis
  • The user who performed the erasure
  • A unique reference number

Download the certificate from the audit log. Provide it to the requesting individual as proof of compliance.

GDPR Data Export (Right of Access)

To fulfill a right-of-access request:

  1. Open the contact record
  2. Click Actions > Export Data
  3. CRM generates a JSON file containing:
    • All personal data fields
    • Activity timeline
    • Email history
    • Sequence enrollment history
    • Associated company and deal references
    • Consent records
  4. Download and provide to the individual within the 30-day GDPR timeframe

CRM tracks consent at the contact level with four fields:

FieldValues
Consent StatusOpted In, Opted Out, Pending, Unknown
Consent TypeExplicit (actively opted in), Implied (existing business relationship), Imported
GDPR BasisConsent, Legitimate Interest, Contract
Consent SourceWeb form, trade show, imported, API, manual
  • Contact opts in: Update consent status via form submission, preference center, or manually
  • Contact opts out: Click the unsubscribe link in any email, or update manually
  • Preference center: Contacts can manage their own consent at a public URL (no login required)
ℹ️Consent status changes are logged in the audit trail with timestamps. This creates a defensible record of when and how consent was given or withdrawn.

Best Practices

  1. Process requests promptly — GDPR requires response within 30 days
  2. Verify identity — Before erasing, confirm the requester is who they claim to be
  3. Check all systems — CRM erasure only covers CRM data. If the contact exists in PSA, Books, or other systems, coordinate erasure across all products
  4. Keep the certificate — Store erasure certificates for your compliance records
  5. Train your team — Ensure everyone who handles contact data knows the erasure workflow

Next Steps