GDPR-004 critical Right to Be Forgotten

Cross-service data deletion

User data exists in many places (database, analytics, CRM, payment processor, etc.). Deletion must cover all services. Maintain a data map of where user data lives.

Question to ask

"User deleted — still in your CRM? Your analytics?"

Related items

GDPR-010 Data processing records maintained GDPR-011 Third-party processors documented

Verification guide

Severity: Critical

User data lives in many places beyond your main database. Deletion must cover all of them.

Check automatically:

# Look for deletion propagation logic
grep -riE "cascade.*delet|propagate.*delet|delete.*all|cleanup.*user|purge.*service" src/ app/ lib/ --include="*.ts" --include="*.js" --include="*.py"

# Check for third-party service cleanup
grep -riE "stripe.*delet|intercom.*delet|segment.*delet|analytics.*delet|mailchimp.*delet|hubspot.*delet" src/ app/ --include="*.ts" --include="*.js"

# Look for data mapping documentation
grep -riE "data.*map|where.*stored|user.*data.*location|data.*inventory" docs/ --include="*.md"

# Check for queue/async deletion jobs
grep -riE "deletion.*job|cleanup.*job|purge.*queue|gdpr.*worker" src/ app/ jobs/ workers/ --include="*.ts" --include="*.js"

Ask user:

  • "Where does user data live beyond your main database?" (analytics, CRM, email provider, payment processor, logs, backups, CDN, Redis, Elasticsearch)
  • "Is there a data map documenting all locations?"
  • "Does your deletion process cover all these services?"

Common data locations to check:

Service Type Examples Deletion Method
Payment processor Stripe, Braintree API call to delete customer
Email/CRM Mailchimp, HubSpot, Intercom API call or manual
Analytics Segment, Mixpanel, Amplitude API or data deletion request
Search Elasticsearch, Algolia Remove from index
Logs CloudWatch, Datadog May need retention policy
Backups Database backups Complex - often exempted with disclosure

Cross-reference with:

  • GDPR-010 (ROPA documents where data lives)
  • GDPR-011 (third-party processors need deletion too)

Pass criteria:

  • Data map exists (inventory of where user data lives)
  • Deletion process covers all services (automated or documented manual steps)
  • Third-party deletion APIs integrated where available

Fail criteria:

  • Only delete from main database, forget third parties
  • No inventory of where data lives
  • "We probably have data in Intercom but don't clean it up"

Notes: Backups are tricky - GDPR allows keeping backups if disclosed and data is deleted when backup is restored. Document this exception.

Evidence to capture:

  • Data inventory/map location
  • Services covered by deletion process
  • Any known gaps or exceptions (e.g., backups)

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

GDPR-003

Deletion timelines defined

 Next →

GDPR-005

Data export / portability