GDPR Article 17 gives data subjects the right to have their personal data erased without undue delay. The obligation sounds simple. In practice, most data teams lack the tooling to find every copy of a user's data, delete it completely, and produce credible evidence that the deletion happened.
Complete erasure
The requirement is not to delete the source record. It is to erase personal data 'without undue delay' across every location it exists — including backups, derived tables, cached copies, and connected downstream systems such as CRMs and marketing tools.
Timely response
Controllers must action erasure requests within one calendar month. Extensions of up to two additional months are permitted for complex requests, but only if the controller notifies the data subject of the extension and the reason within the first month.
Third-party notification
Where personal data has been disclosed to third parties, Article 17(2) requires the controller to inform those recipients of the erasure request so they can erase the data too. This obligation covers data processors and any downstream data recipients.
Verifiable evidence
Article 5(2) requires controllers to be able to demonstrate compliance. For erasure this means producing evidence of what was deleted, when, from which systems, and by what mechanism — not just asserting that a delete query was run.
The deletion runs against the application database but not the analytics warehouse, the data lakehouse, the marketing CRM, or the three derived tables that dbt materializes every night. Each missed location is a separate violation.
Warehouse snapshots retain plaintext data for weeks or months after the source row is deleted. Without crypto-shredding, backups are an open back door — every copy of that backup contains personal data that was supposed to be erased.
Knowing that a deletion ran is not the same as knowing what it covered. Without a lineage map that ties the original data to every derived system it reached, you cannot assert completeness — and completeness is what Article 5(2) requires you to demonstrate.
Teams often handle DSARs with a Jira ticket and a Slack message confirming the delete was done. A regulator or supervisory authority reviewing an erasure complaint will ask for timestamped, auditable evidence — not a closed ticket.
DPA investigations and audit reviews consistently look for the same five things. Most teams can answer some of them but not all.
Crypto-shredding answers questions 4 and 5 definitively: the mechanism is key destruction, and the evidence is a cryptographically signed certificate containing the key fingerprint, destruction timestamp, and the lineage of systems that held encrypted data under that key. That certificate is the same format as a code-signing receipt — it can be verified independently without trusting the issuer's word.
The European Data Protection Board Guidelines 01/2021 on Examples regarding Personal Data Breach Notification and subsequent national DPA opinions (notably the French CNIL and UK ICO guidance on pseudonymisation) confirm that data rendered permanently inaccessible through key destruction satisfies the erasure obligation, subject to two conditions:
Strong encryption
The encryption must be of a standard that makes the data computationally irrecoverable without the key. AES-256-GCM (used by Google Cloud KMS and AWS KMS) meets this bar. Weak or deprecated cipher suites do not.
Key unrecoverability
The key material must be genuinely destroyed with no recovery path. Hardware Security Module (HSM) backed key destruction, where the key is overwritten at the hardware level and the KMS provider cannot recover it, satisfies this condition.
Note: this is technical and product context, not legal advice. For regulatory decisions, consult qualified legal counsel familiar with the applicable jurisdiction.
The deletion request arrives — via DSAR intake, in-product user request, or programmatic API call. The request is logged with a timestamp and the requesting party.
Chameleon uses the PII registry — a live map of which tables and columns hold personal data for each user — to determine scope. No manual investigation required.
The Key Vault destroys the per-user encryption key via Cloud KMS. All warehouse rows encrypted under this key become unreadable simultaneously, including every backup and derived copy.
Connected downstream systems (CRM, marketing tools) receive wipe instructions. Completion receipts are collected per system. Third-party notification is handled automatically.
A signed deletion certificate is generated: key fingerprint, shred timestamp, lineage of covered systems. This is the Article 5(2) evidence. It can be stored, forwarded to the data subject, or attached to a regulatory response.