From 31 March 2026, amendments to the UK GDPR’s right to erasure take effect UK‑wide. A commencement instrument activates section 31 of the Victims and Prisoners Act 2024 and paragraph 32 of Schedule 11 to the Data (Use and Access) Act 2025, introducing a specific statutory ground for erasure and aligning territorial extent with the UK GDPR. (legislation.gov.uk)
Section 31 inserts Article 17(1)(g) into the UK GDPR. A data subject may require a controller to erase personal data where it was processed as a result of an allegation that meets three cumulative tests: the allegation was made by a ‘malicious person’ in relation to the data subject; the controller has investigated the allegation; and the controller has decided that no further action is to be taken. (legislation.gov.uk)
The Act defines ‘malicious person’ for this purpose. It covers an individual convicted of specified stalking or harassment offences (including breach of a stalking protection order) in relation to the victim, and a person subject to a stalking protection order made to protect the victim from a risk associated with stalking. The legislation sets out a table of qualifying offences across England and Wales, Scotland and Northern Ireland. (legislation.gov.uk)
In practice, the new provision targets situations where a perpetrator’s unfounded allegation has generated records about a victim-such as entries in an employer’s complaint system or a service provider’s risk log. Once the controller’s investigation has concluded with no further action, the victim gains a direct route to request deletion of that data under Article 17(1)(g). (legislation.gov.uk)
The right to erasure remains qualified. Controllers may refuse a request where an Article 17(3) exception applies, including where processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority. ICO guidance confirms the right is not absolute and only applies in certain circumstances. (ico.org.uk)
Paragraph 32 of Schedule 11 to the Data (Use and Access) Act 2025 ensures that Article 17(1)(g) and the associated new paragraphs, and the new section 13A of the Data Protection Act 2018 on ‘relevant offence’, extend to Scotland and Northern Ireland as well as England and Wales, mirroring the UK GDPR’s territorial scope. (legislation.gov.uk)
From 31 March 2026 controllers will need to update erasure‑request triage and casework. Decision‑makers should record the investigation outcome, confirm that no further action is to be taken, and verify whether the person who made the allegation qualifies as a ‘malicious person’-typically evidenced by a relevant conviction or a stalking protection order-before applying Article 17(1)(g). (legislation.gov.uk)
Public bodies and regulated sectors should assess the new ground against statutory retention duties. Where law requires records to be kept, Article 17(3)(b) provides a basis to retain data despite an erasure request; however, controllers should issue a clear, reasoned decision within the usual one‑month response period and document the legal basis relied upon. (ico.org.uk)
Victim support organisations may see increased demand for assistance. Effective requests are likely to reference the controller’s ‘no further action’ decision and any relevant court order or conviction. Controllers remain responsible for verifying eligibility and balancing the request against applicable exemptions before deciding whether to erase the data.
The legislation also creates a power for the Secretary of State to amend the offence table in Article 17(5) by regulations subject to the affirmative procedure, allowing the list of qualifying offences to be updated via secondary legislation. Organisations should monitor future instruments for any changes. (legislation.gov.uk)