The honest premise: you cannot perfectly delete personal data from an immutable system. That is the architectural truth. Event logs, append-only lakes, immutable backups, distributed snapshots, content-addressed stores, and trained model weights all resist row-level deletion by design.
GDPR does not require the impossible. It requires that you take reasonable, proportionate steps, that you document the residual risk, and that you have a defensible plan for the bytes you cannot reach today. The accepted pragmatic patterns are:
- Crypto-shredding: encrypt per-subject (or per-tenant with a subject sub-key); destroy the key on erasure. The ciphertext is then statistically equivalent to noise. This is a widely accepted approach for data you cannot physically delete (immutable backups especially); no single EDPB guideline endorses it by name, so document the reasoning and treat destroying the key as the erasure event.
- Erasure-on-restore covenants: a documented, tested process where any restore from a backup must re-apply the erasure queue before the data goes live. CNIL backup guidance accepts this for backups whose deletion would be disproportionate.
- Tombstone propagation: compactable logs (Kafka with
cleanup.policy=compact) accept a null-payload tombstone for a key. Compaction physically removes the prior value.
- Subject-deletion markers in lakes: Iceberg row-level deletes (
MERGE INTO ... WHEN MATCHED THEN DELETE) or Delta DELETE FROM. The file rewrite removes the row from current snapshots; historical snapshots are then expired.
- Re-training or unlearning: for models trained on personal data, the realistic options are scheduled re-training without the erased subject's data, or, for a small but growing class of models, machine unlearning techniques.
The rest of this section walks through each surface in production and the pattern that applies.