>It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.
The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.
We are not going to go looking through compressed archives and snapshots for your data. We are not going to run routines on immutable logs to filter out all trace of your history. We are not going to check CSV files used for imports. We are not going to track down any third parties who may have shared our data. We are not going to retrain neural networks on a new dataset that excludes your data. We are not going to move heaven and earth for a user who decides it'd be clever to demand all his data be deleted after reading a couple articles on Medium. We don't care how European you are.
What we can do, is set a little deleted flag on your profile to treat you as "deleted".
If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.
The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.