> Going in to the backups to delete their data there in insane.
If I was legally obliged to delete data then I'd make sure I deleted, regardless of the purpose or location of the storage. If you can't handle a delete request you shouldn't collect the data in the first place.
What you want to do is encrypt/anonymize per user information using a translation layer that also gets backed up. In case of a gdpr request, you delete this mapping / key and voila: data cleanup. The backup data becomes unusable.
But this obviously means building an extensive system to ensure the encoded identifier is the only thing used across your system (or a giant key management system).
In the past I’ve been a part of systems at exabyte scale that had to implement this. Hard but not impossible. I can see how orgs try to ‘legalese’ their way out of doing this though because the only forcing function is judicial.
If I was legally obliged to delete data then I'd make sure I deleted, regardless of the purpose or location of the storage. If you can't handle a delete request you shouldn't collect the data in the first place.