[toomuchtodo]

Something I’ve been curious about:

Let’s say you’re a business using Microsoft Flow, Mulesoft, or something similar. You have user data considered GDPR-applicable within these systems as part of your business process workflow automation. How do you comply with user GDPR requests for visibility or deletion of their data if these systems don’t expose this to you (such as data in their logging, storage, and indexing systems)?

[sleepychu]

You can't store data in a way that doesn't allow you to delete it. Similar defence, what if I laser engrave your data into a diamond plate then lock it in a safe and throw away the key?