[com]

Encrypt the data element using a nonce, encrypt the nonce using a public key whose private key will be purged from your HSM/SCD/key management system on a scheduled basis. You will need to retain metadata about the key ID too.

Don’t leak private keys, so you should generally use a decryption service if you need access to the data record. Handy to prove access too!

That works and survives fairly intense audits at least in my experience.