It doesn’t cost much at all for companies to have infrastructure to delete user data. That’s just a cascading delete in any relational table. Poof, data gone in a single query. Sure, some systems are slightly more complex but deleting data is one of the easier challenges for any company to solve.
What costs money is companies trying to figure out how to work around legal requirements, obfuscate this option from users, or forcing them to go through support-intensive processes to delete their data rather than just building this like any other core automated business function.
This hasn't been my experience. Do you work in a large company? My experience has been that there are heaps and piles of data including (or potentially including, unstructured) personal information. And lots of reasons why complete deletion isn't possible - because certain other information nearby the personal information is necessary for business purposes (like submitting invoices), or because the person requesting deletion only wants part - not all - deleted, or because the database is structured such that deletion isn't feasible until next year when we roll onto a new technology, etc etc.
I work at one of the largest, and have also worked at startups and in between.
Having PII littered about in ways that aren’t easily deletable is quite a canary. Companies with these issues are the same companies that end up with data breaches due to their cavalier treatment of user data. Perhaps these companies should be grateful they have a regulatory body ensuring they don’t fall too far behind the basic data stewardship practices the rest of the industry has in place.
Not sure why this is being downvoted. It’s precisely these companies that haven’t architected their systems well or prioritized the safety and security of PII by littering it about in various systems and making it “undeletable” in their processes, that need a swift kick in the ass to get it together.
I can’t believe people consider the argument that because companies have poorly managed systems and PII centered databases with no abstraction (and therefore are working right on actual customer record data in their data lakes), that this is somehow a viable argument for why we shouldn’t make deleting data possible.
Companies like this are the next Equifax. Why would you condone their stupidity?
Agree. My argument is more along the lines of, “the companies that aren’t prepared for this are the ones who most desperately need to clean up their act in the first place, cost aside.”
But I’m inarticulate and do understand your reasoned point.
> Having PII littered about in ways that aren’t easily deletable is quite a canary.
"We can't figure out how to delete PII" and "Our schema is flexible" are the same canary in my view.
Everything goes back to founders & business owner giving enough of a shit to force a good architecture from the beginning.
You can't build an effective schema to store complex information if your mission isn't clear yet. If concerns over PII storage are "we'll worry about that later", then whatever schema is invented from that point will mirror that vision.
If the vision is "PII == high-level radioactive waste", then the resulting schema may not even offer places to store it, outside of specially-controlled tables.
What costs money is companies trying to figure out how to work around legal requirements, obfuscate this option from users, or forcing them to go through support-intensive processes to delete their data rather than just building this like any other core automated business function.
reply