Right to Erasure on a Mac — How to Actually Delete Someone Under Article 17

Right to Erasure on a Mac — How to Actually Delete Someone Under Article 17

Article 17 of the GDPR — the right to erasure, or “right to be forgotten” — sounds simple: a person asks you to delete their data, and you delete it. The hard part isn’t the deleting. It’s the finding. To honour an erasure request you have to remove every copy of that person’s personal data — and on a Mac, the copies are exactly the things nobody remembers making.

Delete the record in the main system and call it done, and you’ve almost certainly left the person’s data in three other places. That’s not compliance; it’s a false confirmation.

What “erase” actually requires

When a valid erasure request lands, you’re obliged to delete the person’s personal data across everything you control — not just the tidy system of record. That means:

You also have to stop holding it going forward — which means fixing whatever process keeps re-creating copies.

There are limits: you can retain data you’re legally required to keep (tax records, for instance), and you can refuse manifestly unfounded or excessive requests. But “we couldn’t find it all” is not on the list of valid exceptions.

Why it’s hard on a Mac

The same reason DSARs are hard: personal data spreads, and macOS gives you no native way to ask “which files contain this person?” Spotlight finds files by name and known keywords, not by the pattern of a national ID or a scattered set of identifiers. So the honest answer to “have you deleted everything?” is usually “we deleted what we remembered.”

That gap is the whole risk. An erasure request you fulfilled incompletely is arguably worse than one you never received — you’ve now confirmed deletion of data you still hold.

A repeatable erasure method

Treat every erasure request as a find-then-destroy operation:

  1. Verify the request and the identity. Confirm it’s genuine and that you can identify the person unambiguously — name plus a strong identifier (email, national ID, account number).
  2. Scan for every identifier, everywhere. Search your mapped repositories — drives, mail, the specific Macs — for the person’s name, email, national ID and phone. Pattern-based, not keyword.
  3. Review each hit. Some copies are erasable; some fall under a retention obligation and must be kept (and documented as such).
  4. Delete properly. Remove the erasable copies from the file system, Trash, and backups. A file “deleted” but still in a Time Machine snapshot is still held.
  5. Close the tap. Identify what kept creating copies and stop it, so the person doesn’t reappear next quarter.
  6. Record what you did. Log what you searched, what you deleted, and what you retained and why. That record is your proof of compliance — and your defence if the person complains.

The retention nuance

Not everything can be erased, and pretending otherwise is its own mistake. The skill is separating “personal data past its purpose” (delete) from “data under a legal retention duty” (keep, document, and restrict access). You can only make that call file by file — which means you first have to see every file. Finding is the prerequisite for both deleting and defensibly keeping.

Doing it on-device

Fulfilling an erasure request by uploading someone’s files to a cloud search tool would mean copying their data off the Mac in order to delete it — the opposite of the point. The search stays local.

GDPR File Audit scans folders, drives and mail stores on your Mac and flags every file that contains a given person’s identifiers, so an erasure request becomes a scan, a review, and a clean deletion — with an exportable record of exactly what you found and removed. Nothing leaves the machine.

The right to be forgotten is only honoured if the forgetting is complete. Find every copy first — then you can delete with a straight face.