It is true. We built a special "GDPR delete" function that just went and replaced "Tom.Smith@gmail.com" with "nobody@nothing.com" and "Smith, Tom" with "Nobody, Whoever" and birthdate to "01.01.9999" or whatnot, and then we'd filter them out of queries.
You don't have to hard-delete an RDB class to get rid of one record. Just replace anything personal with gibberish.
From a legal perspective that's probably good enough to be considered a delete :)
People who want GDPR compliance probably also need to propagate data removal through the backups as well.
Yes, but some data has to be maintained for legal reasons, so that also doesn't get deleted.
Need an archiving and deletion scheme, for all of this, but there's no requirement to mess up your database relationships by removing table keys or something.
Alternatively you can use crypto-shredding, it adds overhead but it works instantly everywhere
