On February 18, 2026, the EDPB published its report from last year's coordinated supervisory action on the right to erasure. 32 supervisory authorities reviewed 764 companies - ranging from SMEs to multinational corporations. They found the same thing everywhere: a lack of internal procedures for handling erasure requests, no clearly defined retention periods, and technical limitations that make it impossible to delete data from backup systems. Nine supervisory authorities have already initiated formal investigations.
What does this mean to you?
Do you know what you store about ex-customers and ex-employees — and when you should delete it? If not, start with treatment protocol (RoPA) — Record what you process and for how long. It's the starting point for everything else.
Inspired by: European Data Protection Board