Technical Implementation of GDPR Right to Erasure
A practical guide to building systems that can fulfill GDPR right to erasure requests efficiently and completely.
Understanding the Right to Erasure
The right to erasure, also known as the "right to be forgotten," is established in GDPR Article 17. It gives individuals the right to request that a controller delete their personal data without undue delay. Controllers must comply when:
- The data is no longer necessary for the purpose it was collected
- The individual withdraws consent and no other legal basis applies
- The individual objects to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
- Deletion is required to comply with a legal obligation
- The data was collected in relation to a child's use of information society services
However, the right is not absolute. Exceptions exist for data needed to exercise freedom of expression, comply with legal obligations, serve public health interests, archive in the public interest, or establish, exercise, or defend legal claims.
The Technical Challenge
Implementing the right to erasure is straightforward in theory but complex in practice. Personal data rarely lives in a single database table. It propagates across:
- Primary databases
- Analytics systems
- Backup files
- Log files
- Search indexes
- Cached layers
- Third-party systems
- Data warehouses
- Message queues
A complete erasure implementation must account for all of these locations.
Step 1: Build a Personal Data Inventory
Before you can delete data, you must know where it lives. Create a machine-readable inventory that maps each data subject identifier to every system and data store that holds their personal data.
Inventory Components
| Component | Description |
|---|---|
| Data subject identifiers | User ID, email, account number, etc. |
| Data stores | Each database, file system, or service containing personal data |
| Data categories | What types of personal data each store holds |
| Retention rules | Minimum and maximum retention periods per store |
| Deletion method | How data is removed from each store (hard delete, anonymization, etc.) |
| Dependencies | Other systems that must be updated after deletion |
Step 2: Design an Erasure Request Workflow
Build a structured workflow to handle erasure requests from receipt to confirmation.
Workflow Stages
- Request intake: Capture the request through a self-service portal, email, or customer support channel
- Identity verification: Confirm that the requester is the data subject or an authorized agent
- Scope assessment: Determine which data is subject to erasure and whether any exceptions apply
- Execution: Delete or anonymize the data across all identified systems
- Verification: Confirm that deletion was completed successfully
- Response: Notify the data subject that the request has been fulfilled
- Documentation: Log the request, actions taken, and any exceptions applied
Step 3: Implement Deletion Across System Types
Relational Databases
- Use cascading deletes or explicit multi-table delete operations
- Handle foreign key constraints carefully to avoid orphaned records
- Consider soft delete (marking records as deleted) as an interim step, but ensure hard deletion occurs within your defined timeframe
- Test deletion queries against realistic data volumes to avoid performance issues
Document Stores and Object Storage
- Delete all files, documents, and objects associated with the data subject
- Remove metadata entries that could identify the individual
- Purge any derived files (thumbnails, previews, processed versions)
Search Indexes
- Remove the data subject's records from search indexes (Elasticsearch, Solr, Algolia, etc.)
- Force a re-index if necessary to ensure stale data is not served from cache
Caches and CDNs
- Invalidate or purge cached content containing personal data
- Set cache TTLs (time to live) so that cached personal data expires within a reasonable period even without manual invalidation
Analytics and Data Warehouses
- Delete or anonymize records in analytics databases (BigQuery, Redshift, Snowflake)
- Remove identifiers from event streams and ETL pipelines
- Ensure downstream reporting does not retain identifiable data after deletion
Log Files
- Logs are one of the hardest areas to handle. Options include:
- Designing log formats to exclude personal data from the start (preferred)
- Implementing log scrubbing processes that redact personal data
- Accepting that logs with retention periods of 30 to 90 days will naturally expire
- Documenting a proportionate approach if immediate log deletion is technically infeasible
Backups
Backups present a special challenge because they are designed to be immutable.
Approaches:
- Crypto-shredding: Encrypt each user's data with a unique key. To "erase" the data, delete the key, rendering the backup data unreadable.
- Backup rotation: Document that backup data will be erased as backups are rotated out on their normal schedule (typically 30 to 90 days).
- Selective restore exclusion: Maintain a suppression list so that if a backup is restored, previously erased records are not reintroduced.
Third-Party Systems
- Send deletion requests to all processors and sub-processors who hold the data subject's personal data
- Track compliance from third parties and follow up on outstanding requests
- Include contractual obligations for erasure in your Data Processing Agreements
Step 4: Handle Exceptions and Partial Erasure
Not all data can be deleted. Build logic to handle:
- Legal holds: Data subject to litigation or regulatory investigation cannot be deleted
- Financial records: Tax and accounting regulations may require retention for 5 to 10 years
- Contractual obligations: Some data may need to be retained for warranty or liability periods
- Anonymized data: Truly anonymized data is no longer personal data and need not be erased
When exceptions apply, erase everything that can be erased and clearly document the justification for retaining the rest.
Step 5: Automate and Scale
Manual erasure processes do not scale. Invest in automation:
- Build an erasure orchestration service that triggers deletion across all systems from a single request
- Use message queues to manage asynchronous deletion tasks
- Implement retry logic for transient failures
- Generate audit logs automatically for each deletion action
- Create dashboards to monitor request volumes, completion rates, and SLA compliance
Step 6: Test Your Implementation
- Run end-to-end deletion tests with representative data
- Verify that data is actually gone (query all systems post-deletion)
- Test edge cases: partial exceptions, data subject with records in multiple jurisdictions, concurrent requests
- Include erasure testing in your CI/CD pipeline
Meeting the 30-Day Deadline
GDPR requires that erasure requests be fulfilled within one month. This deadline can be extended by two additional months for complex requests, but the data subject must be informed of the extension and the reasons within the first month.
To consistently meet this deadline, organizations need clear data inventories, automated workflows, and infrastructure that makes data locatable and deletable. Hosting solutions like GlobalDataShield, which enforce data residency and maintain structured data management, simplify the task of locating and removing personal data across your infrastructure when erasure requests arrive.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.