> you can store it in an encrypted backup which you remove after 90 days (and throw away the key)
Sure. But that is much easier said than done. Especially if your previous strategy was to just keep everything, because storage is cheap, development cost is expensive, and then the data will still be there if the customer decides to return in a few years.
And in many (most?) cases it's not like you just have a single file with all the user's data, that data is spread around in many different database tables , and possibly even multiple databases. The development work to figure out how to clean everything up, without accidentally deleting anything wrong or leaving anything out can be a considerable amount of effort.
It's also not always black and white who data belongs to. If I upload an image onto a document that was shared with me, should that image be deleted if I cancel my account? What about something I posted publicly on a social media platform? Or posted privately in a group chat or DM? Does it make a difference if the content of an image or text I wrote included PII? Hopefully you have a lawyer that understands the nuances involved.
I see this and I feel I must ask: why would you EVER engineer ANY application under the idiotic assumption that none of your users will ever want to remove the data that they had stored in it?!
Absolutely baffling.
Of course, if a business is that short-sighted and careless, it will struggle to implement GDPR.
Sure. But that is much easier said than done. Especially if your previous strategy was to just keep everything, because storage is cheap, development cost is expensive, and then the data will still be there if the customer decides to return in a few years.
And in many (most?) cases it's not like you just have a single file with all the user's data, that data is spread around in many different database tables , and possibly even multiple databases. The development work to figure out how to clean everything up, without accidentally deleting anything wrong or leaving anything out can be a considerable amount of effort.
It's also not always black and white who data belongs to. If I upload an image onto a document that was shared with me, should that image be deleted if I cancel my account? What about something I posted publicly on a social media platform? Or posted privately in a group chat or DM? Does it make a difference if the content of an image or text I wrote included PII? Hopefully you have a lawyer that understands the nuances involved.