When a customer requests to delete their data under the GDPR, the first step is to confirm their identity and the details of their request. Once confirmed, the company should delete all of the customer’s data from their systems and any third-party data processors they are using. The company should also ensure that any data backups are also deleted and that all other internal systems are updated to reflect the deletion. Finally, the company should inform the customer that their data has been deleted.