From 31 March 2026, a new, targeted ground for the right to erasure takes effect in the UK. Commencement regulations activate Section 31 of the Victims and Prisoners Act 2024, which inserts Article 17(1)(g) into the UK GDPR for cases where personal data was processed because of an allegation and the controller has decided to take no further action. (legislation.gov.uk)

This is not a blanket rewrite of GDPR. Parliament has set a narrow test: the allegation must have come from a “malicious person” and relate to the data subject; that means someone convicted of a relevant stalking or harassment offence against them, or someone subject to a stalking protection order made to protect them. (hansard.parliament.uk)

The provision applies across the UK. The Data (Use and Access) Act 2025 ties the amendments to the same territorial extent as the UK GDPR, ensuring controllers in England, Wales, Scotland and Northern Ireland apply the same rules. (legislation.gov.uk)

For DPOs, the operational threshold has three moving parts: validate that the accuser meets the “malicious person” definition; confirm the organisation investigated the allegation; and record a decision of “no further action”. Only when all three are satisfied should teams erase data created because of the allegation-never material still needed for legal duties, safeguarding or service delivery. (legislation.gov.uk)

Timelines remain familiar. Organisations have one month to respond to erasure requests and may extend by up to two further months for complex or numerous requests. The right is still limited: it does not apply where processing is required by law or necessary for tasks in the public interest or in the exercise of official authority, among other exemptions. (cy.ico.org.uk)

Documentation will make or break compliance. ICO guidance expects firms to log requests and decisions and to explain refusals clearly. Where erasure is granted, keep a minimal audit trail so you do not process the same data again, and plan how deletion propagates into backup environments and processor systems under contract. (cy.ico.org.uk)

Example: a housing association receives an allegation from a resident’s ex‑partner about tenancy fraud. The resident provides evidence of a stalking protection order. After checks confirm the order and the investigation closes with no further action, the association deletes the incident record and email tags generated solely by the allegation. The tenancy file, held for statutory purposes, remains.

Example: a university support service logs a complaint that triggers safeguarding workflows. Police confirm the accuser has a stalking‑related conviction tied to the student; the panel records no further action. The service erases case notes and ticket metadata created because of the allegation, but retains risk registers or duty‑of‑care records where legal obligations still require them.

Expect boundary calls. Requests may reach across ticketing tools, risk systems and messaging archives where an unfounded allegation propagated. Controllers should trace the data flows, inform third‑party recipients where feasible, and explain any lawful retention. The ICO’s guidance confirms recipients should be told about erasure where data was disclosed or made public, unless this is impossible or disproportionate. (cy.ico.org.uk)

What to do now: update erasure policies and triage scripts; add a verifier step for stalking convictions and protection orders; rehearse the “investigated-no further action” test with case‑handling teams; and check supplier SLAs for downstream deletion. MoJ materials frame this as a targeted victim‑safety fix rather than a broad rewrite, so most teams face a process and training lift rather than a system rebuild. (gov.uk)