When Someone Asks You to Delete Everything: How to Handle Total Erasure DSARs
How to process 'delete everything about me' requests. What you must delete, what you can keep, how to set expectations, and a step-by-step response process.
Last updated: 2026-02-08
"Remove Everything About Me"
You received an email saying "I want all my data deleted. Everything." This sounds dramatic, but it is a standard erasure request. Here is how to process it.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
What "Everything" Actually Means
The requester wants you to delete all personal data you hold about them. They are not asking you to erase them from the entire internet — they cannot compel Google, news sites, or other companies through you. They are asking you to delete what is in your systems.
Treat it as a standard erasure DSAR under whichever law applies (GDPR Article 17, CCPA § 1798.105, or the relevant state law).
Step-by-Step Response
1. Do Not Panic or Dismiss It
"Delete everything" is valid wording for an erasure request. No specific legal citation is required from the requester.
2. Verify Identity
Before deleting anything, confirm the requester is who they say they are. Proportionate verification — do not demand excessive proof. See our identity verification guide.
3. Find All Their Data
Search every system where personal data lives:
- Databases and applications
- CRM (Salesforce, HubSpot, etc.)
- Email marketing (Mailchimp, etc.)
- Customer support tickets
- Email inboxes (search for their name and email)
- Cloud storage and shared drives
- Analytics platforms (where individually identifiable)
- Spreadsheets and local files
- Paper records
This is where a data map pays off. If you do not have one, now is a good time to build one. See our data discovery tools guide.
4. Identify What You Must Keep
Even in a "delete everything" request, some data may be legally required to stay:
- Tax and financial records — typically 6-7 years
- Employment records — varies by jurisdiction, often 3-7 years
- Data relevant to active legal claims — as long as the claim is live
- Regulatory records — industry-specific retention requirements
- Transaction records needed for ongoing service — if they still have an active account
Document each retention reason with the specific legal basis.
5. Delete Everything Else
Delete from all active systems. Verify each deletion:
- Account data — deactivate and purge
- Marketing data — remove from all lists and campaigns
- Analytics data — delete or anonymize individual-level records
- Support data — delete tickets and chat logs
- Email — delete messages containing their data
- Cloud files — search and delete documents
Backups: Most businesses cannot selectively delete from backups. Delete from all active systems, document that encrypted backups may retain data until they cycle out, and ensure the data is not restored.
6. Notify Downstream
If you shared their data with third parties:
- GDPR: Take reasonable steps to inform other controllers (Article 17(2))
- CCPA/CPRA: Direct service providers, contractors, and third parties to delete
- Keep records of every notification sent
7. Respond Clearly
Tell them exactly what happened:
- What was deleted and from which systems
- What was retained and why (cite specific legal basis)
- Which third parties were notified
- That you cannot control data held by other companies
- Their right to complain to a supervisory authority (GDPR) or the state AG
Deadline: 30 calendar days (GDPR) or 45 calendar days (US state laws).
Setting Expectations
If the requester expects you to remove them from the entire internet, clarify what you can and cannot do:
- You can delete data in your systems
- You can direct your service providers to delete
- You cannot remove search engine results, news articles, social media posts by others, or public records
- You cannot compel other companies to delete their data — the requester needs to contact them directly
Be helpful: if you know their data exists with specific third parties, let them know so they can make requests there too.
Related Guides
- Handling Right-to-Erasure Requests — GDPR Article 17 process
- Responding to US Deletion Requests — state-by-state guide
- DSAR Identity Verification — verification methods
- How to Respond to a DSAR — the full response process