[tybit]

At big tech companies I’ve seen and heard about, the answer is crypto shredding. Encrypt all PII at rest with a per user data key. GDPR deletion requests can then delete the data key. This isn’t perfect, but it’s a step in the right direction IMO. Unfortunately I don’t see it being feasible for a typical company anytime soon.

[salawat]

Stlll keeps foreign keys and the key management can be a nightmare. Basically, you're talking per customer encryption keys... Even then, you still might get something if you have enough other data to cross-ref/compare against/you're just looking for something to confirm/parallel construct from.