Why is delete=1 a best practice? There are competing concerns here. The government has now decided for everyone. Agree or disagree it is not worth implyng immorality where no immoral intent is present.
I’m not sure that delete=1 is a good idea, because you’re still mutating database records. But, it’s often lot cleaner conceptually to model state as an append-only log of assertions and retractions or via a log-structured system, where you never delete old records but just push a new index record that leaves the appropriate record out.
Sure, but it also leaves a much bigger attack surface, because you still have all the deleted data ready to be leaked, as has repeatedly happened in practice. It's only a cleaner solution if your risk accounting allocates close to zero cost to that, which is what most startups do.
Yeah, my point is just that the way databases have been developing recently has been towards eliminating mutation and deletion. The GDPR’s conception of deletion is fundamentally opposed to these models.
However, you can sort of match the two by storing personal data in a separate key-value map, using the (random) key from that map to link your data to the personal data and then just deleting the map entry when someone asks to be forgotten.
The annoying part is retrofitting data scrubbing into things like data warehouses and other systems of record, without accidentally deleting data you have a legal obligation to retain to satisfy, e.g. anti-money laundering laws or audit requirements.
It is insufficient to only mask PII because behavioural data can in some cases uniquely identify an individual, such as purchasing history. You have to destroy all data from the user.
By the way it is this stuff that is so maddening about GDPR. The EU steadfastly refused to be helpful by even answering frequently asked questions clearly.
