When we onboard a new client, we run an inbox audit. We scan their email, helpdesk, and support channels for incoming GDPR requests — data access, erasure, portability, restriction, objection — going back 24 months. The results are consistently worse than the client expects. The average backlog on a mid-sized SaaS company is 34 unanswered requests. The record, so far, is 47 — from a single operations team that genuinely didn't know they were receiving them.
This piece is about why a deletion backlog is not a minor administrative problem. It's about how regulators calculate fines and why the arithmetic becomes frightening faster than most operators realise.
What the regulation actually requires
GDPR Article 17 grants data subjects the right to erasure — the "right to be forgotten." The right applies when the data subject withdraws consent, when the personal data is no longer necessary for the purpose it was collected, when the data has been unlawfully processed, or when erasure is required to comply with a legal obligation.
Article 12 establishes the response window: the controller must provide information on action taken within one month of receiving the request. In complex cases, this can be extended by two additional months — but the data subject must be informed of the extension within the first month, including the reasons for it.
Failing to respond is not a grey area. It is a clear violation of Article 12. Each unanswered request is a separate infringement.
How regulators count the fine
GDPR fines under Article 83(4) cover violations of data subject rights and can reach €20 million or 4% of global annual turnover, whichever is higher.
The factors regulators weigh in determining the specific fine amount include the nature, gravity, and duration of the infringement — and crucially, the number of data subjects affected.
This is where deletion backlogs become dangerous. 40 unanswered erasure requests isn't one infringement. It's 40. The duration of each infringement is measured from the date the request arrived. An erasure request received 18 months ago has been in breach for 18 months.
Several recent DPA decisions have explicitly applied this per-subject-per-duration arithmetic. The Dutch DPA fined a company €525,000 for a series of unanswered deletion requests. The Irish DPC has used similar reasoning. The logic is consistent: the longer you wait, the higher each request's contribution to the fine calculation.
Why the requests don't get answered
The most common reason is routing failure. Deletion requests arrive through unexpected channels: a LinkedIn message to the CEO, a reply to a marketing email, a complaint submitted through an online form that nobody monitors. GDPR doesn't require requests to be submitted through a specific channel. If someone asks for their data to be deleted, the clock has started.
The second reason is ownership ambiguity. When a deletion request arrives, nobody is sure whether it belongs to legal, to product, to customer success, or to engineering. While the debate runs, the 30-day clock does not pause.
The third reason is technical complexity. Deleting a user "properly" — including from backups, from analytics systems, from third-party sub-processors — is operationally non-trivial. Companies wait until they have capacity to do it completely, rather than beginning the process immediately and flagging where deletion isn't yet technically feasible.
What a response actually requires
You don't need to delete all data immediately before you respond. You need to respond within 30 days confirming receipt, explaining what action you're taking, noting any exemptions that apply (litigation hold, legal obligation, public interest), and providing a timeline for complete deletion where it can't happen instantly.
Regulators consistently make a distinction between companies that failed to respond at all and companies that responded, explained their position, and completed deletion with a reasonable explanation for any delay. The former category attracts fines. The latter attracts scrutiny but rarely enforcement action.
Auditing your own backlog
Search every inbound channel — support tickets, email inboxes, contact forms, LinkedIn, social media DMs — for the following terms over the last 36 months:
- "delete my data"
- "remove my information"
- "right to erasure"
- "forget me"
- "GDPR request"
- "personal data"
- "unsubscribe" (sometimes a cover for an erasure request)
For each hit, determine: was it responded to within 30 days? Was action taken? Is there documentation?
If the answer to any of these is no, you have an open compliance liability. The longer you take to remediate it, the larger that liability grows.
This is the most actionable compliance risk most companies have. It doesn't require a policy change or a board decision. It requires an audit, a process, and someone to own it.