You can’t do much of anything if you’ve already given away the information in question — the same is true if someone copied the data itself.
You have to not give away the key in the first place, at least not to any clients that you don’t own.
E.g. following the rule “any problem can be solved with a level of indirection”, external clients get some Auth key A, which they feed to internal client, who internally maps it to some data key B, and decrypts the data and hands it back to the external client.
When the data is removed, you delete the mapping from your internal client.
You have to not give away the key in the first place, at least not to any clients that you don’t own.
E.g. following the rule “any problem can be solved with a level of indirection”, external clients get some Auth key A, which they feed to internal client, who internally maps it to some data key B, and decrypts the data and hands it back to the external client.
When the data is removed, you delete the mapping from your internal client.