Implements automated data deletion workflows for GDPR Article 17 right to erasure and retention period expiry. Covers cascading deletion across dependent systems, dependency handling for referential integrity, confirmation logging, and audit trail generation. Activate for automated deletion, erasure automation, data purge, retention expiry queries.
Automated deletion workflows ensure that personal data is removed from all systems when retention periods expire or when a valid erasure request is received under GDPR Article 17. Manual deletion at scale is error-prone and fails to meet the storage limitation principle consistently. This skill defines the architecture, logic, and operational procedures for building automated deletion pipelines that handle cascading dependencies, maintain referential integrity, produce audit-grade confirmation logs, and satisfy both scheduled retention expiry and on-demand erasure requests.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the specified grounds applies.
Personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Automated deletion is the primary technical measure for enforcing this principle at scale.
The controller shall implement appropriate technical and organisational measures designed to implement data-protection principles, such as data minimisation, in an effective manner. Automated deletion is a core by-design control.
Records of processing activities must include, where possible, the envisaged time limits for erasure of the different categories of data. Automated deletion systems operationalize these envisaged time limits.
| Trigger Type | Source | SLA | Priority |
|---|---|---|---|
| Retention expiry | Retention schedule metadata reaching calculated deletion date | Within 30 days of expiry | Standard |
| Data subject erasure request | Verified Art. 17 request via DSAR workflow | Within 30 calendar days of verified request | High |
| Consent withdrawal | Consent management platform event | Within 30 days (best practice: 72 hours) | High |
| Account closure | Customer account termination event | Per retention schedule (post-closure retention period) | Standard |
| Purpose completion | Processing purpose fulfilled, no further legal basis | Within 30 days of purpose completion | Standard |
| Legal hold release | Litigation hold lifted by Legal counsel | Within 14 days of hold release | Standard |
┌─────────────────────────────────────────────────────────────┐
│ DELETION ORCHESTRATOR │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ Trigger │ │ Dependency │ │ Execution │ │
│ │ Engine │ │ Resolver │ │ Engine │ │
│ │ │ │ │ │ │ │
│ │ - Scheduled │ │ - FK mapping │ │ - System agents │ │
│ │ - Event-driven│ │ - Cascade │ │ - API calls │ │
│ │ - On-demand │ │ rules │ │ - Direct DB ops │ │
│ │ - Hold check │ │ - Orphan │ │ - File system │ │
│ │ │ │ handling │ │ purge │ │
│ └──────┬───────┘ └──────┬───────┘ └────────┬─────────┘ │
│ │ │ │ │
│ └────────┬────────┘ │ │
│ ▼ │ │
│ ┌──────────────────────────┐ │ │
│ │ Deletion Job Queue │─────────────────┘ │
│ │ (Priority-ordered) │ │
│ └──────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────┐ ┌──────────────────────────┐ │
│ │ Confirmation Logger │ │ Audit Trail Generator │ │
│ │ - Per-system status │ │ - Immutable audit log │ │
│ │ - Completion timestamp │ │ - Deletion certificate │ │
│ │ - Verification hash │ │ - Regulatory report │ │
│ └──────────────────────────┘ └──────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
[Daily Retention Scan — 02:00 UTC]
│
▼
[Query all records where calculated_deletion_date <= TODAY + 30 days]
│
▼
[For each record approaching expiry]
│
├── [Check: Active litigation hold?]
│ ├── Yes ──► [Skip — log hold reference, notify Legal]
│ └── No ──► Continue
│
├── [Check: Active regulatory investigation?]
│ ├── Yes ──► [Skip — log investigation reference]
│ └── No ──► Continue
│
├── [Check: Pending data subject request referencing this data?]
│ ├── Yes ──► [Coordinate with DSAR workflow]
│ └── No ──► Continue
│
├── [Check: Retention exception approved?]
│ ├── Yes ──► [Skip — log exception reference and expiry]
│ └── No ──► Continue
│
▼
[Add to deletion job queue with priority: STANDARD]
│
▼
[On calculated_deletion_date: Execute deletion]
[Verified Art. 17 Erasure Request Received]
│
▼
[Data Discovery — Identify all instances of data subject's data]
│
├── Primary databases (CRM, ERP, HR system)
├── Data warehouse and analytics platforms
├── File storage (SharePoint, network drives, cloud storage)
├── Email and communication systems
├── Backup and archive systems
├── Third-party processor systems
└── Logs and audit trails
│
▼
[Generate Deletion Manifest]
Reference: DEL-YYYY-NNNN
Data Subject: [Pseudonymised reference]
Systems identified: [List with record counts]
Exceptions identified: [Any Art. 17(3) exceptions]
Estimated completion: [Date]
│
▼
[DPO Review and Approval]
├── Approved ──► [Add to deletion job queue with priority: HIGH]
└── Exceptions found ──► [Partial deletion — exclude excepted data]
│
▼
[Execute deletion across all identified systems]
When deleting a primary record, dependent records across related systems must also be deleted. The cascading deletion resolver handles referential integrity:
[Primary Record Identified for Deletion]
│
▼
[Load Dependency Map for Record Type]
│
▼
[Resolve Dependencies — Depth-First Traversal]
│
├── [Level 0: Primary record]
│ Example: Customer record in CRM
│
├── [Level 1: Direct dependents]
│ Example: Orders, support tickets, consent records
│
├── [Level 2: Secondary dependents]
│ Example: Order line items, payment records, shipping records
│
└── [Level 3+: Tertiary dependents]
Example: Invoice line items, refund records
│
▼
[For each dependent record]
│
├── [Shared dependency?]
│ (Record also linked to other primary records not being deleted)
│ ├── Yes ──► [Nullify foreign key — do NOT delete]
│ └── No ──► [Add to deletion manifest]
│
├── [Legal retention override?]
│ (Dependent record has its own statutory retention requirement)
│ ├── Yes ──► [Anonymize link to primary record, retain dependent]
│ └── No ──► [Add to deletion manifest]
│
└── [Aggregated/statistical record?]
(Record contributes to aggregated reporting)
├── Yes ──► [Anonymize — remove personal identifiers, retain aggregate]
└── No ──► [Add to deletion manifest]
│
▼
[Execute deletion in reverse order (deepest dependents first)]
Level 3+ ──► Level 2 ──► Level 1 ──► Level 0
The following dependency map is configured for Orion Data Vault Corp:
| Primary Entity | Dependent Entity | Relationship | Deletion Action | Retention Override |
|---|---|---|---|---|
| Customer | Orders | 1:N | Cascade delete (after statutory retention) | 6 years — HMRC |
| Customer | Support Tickets | 1:N | Cascade delete | 3 years — limitation period |
| Customer | Consent Records | 1:N | Cascade delete | Retain suppression record |
| Customer | Marketing Preferences | 1:1 | Cascade delete | Retain opt-out on suppression list |
| Customer | Account Audit Log | 1:N | Anonymize (nullify customer reference) | 7 years — audit retention |
| Order | Order Lines | 1:N | Cascade delete | Follows order retention |
| Order | Payment Records | 1:N | Anonymize | 6 years — financial records |
| Order | Shipping Records | 1:N | Cascade delete | Follows order retention |
| Order | Invoices | 1:N | Anonymize | 6 years — tax records |
| Employee | Payroll Records | 1:N | Cascade delete (after statutory retention) | 6 years — PAYE Regulations |
| Employee | Performance Reviews | 1:N | Cascade delete | Duration of employment + 6 years |
| Employee | Access Logs | 1:N | Anonymize | 2 years — security retention |
Every deletion execution produces an immutable confirmation record:
DELETION CONFIRMATION RECORD — Orion Data Vault Corp
-----------------------------------------------------
Reference: DEL-2026-0142
Trigger: Retention expiry / Art. 17 request / Consent withdrawal
Data Subject Reference: DS-HASH-a3f8c2e1
Request Date: 2026-02-15 (if applicable)
Execution Date: 2026-03-14
Completed Date: 2026-03-14T14:23:07Z
SYSTEMS PROCESSED:
┌─────────────────────────┬──────────┬───────────────┬──────────────────┐
│ System │ Records │ Action │ Status │
├─────────────────────────┼──────────┼───────────────┼──────────────────┤
│ CRM (Salesforce) │ 1 │ Hard delete │ Confirmed │
│ ERP (SAP) │ 47 │ Hard delete │ Confirmed │
│ Data Warehouse (BQ) │ 312 │ Hard delete │ Confirmed │
│ Email (Exchange) │ 23 │ Hard delete │ Confirmed │
│ File Storage (S3) │ 8 │ Hard delete │ Confirmed │
│ Backup (Veeam) │ N/A │ Flagged │ Pending (cycle) │
│ Analytics (Mixpanel) │ 156 │ Hard delete │ Confirmed │
│ Support (Zendesk) │ 12 │ Hard delete │ Confirmed │
│ Audit Log │ 89 │ Anonymized │ Confirmed │
│ Payment (Stripe) │ 5 │ Anonymized │ Confirmed │
└─────────────────────────┴──────────┴───────────────┴──────────────────┘
THIRD-PARTY NOTIFICATIONS (Art. 19):
- Processor A (Analytics SaaS): Notified 2026-03-14, confirmed 2026-03-16
- Processor B (Email service): Notified 2026-03-14, confirmed 2026-03-15
- Processor C (Payment gateway): Notified 2026-03-14, pending
EXCEPTIONS APPLIED:
- Financial records (invoices): Anonymized, retained until 2032-03-14 (6-year statutory period)
- Audit log entries: Anonymized, retained until 2033-03-14 (7-year audit retention)
BACKUP DELETION:
- Backup system: Next full rotation cycle completes 2026-06-12
- Expected complete erasure from backups: 2026-06-12
VERIFICATION:
- Post-deletion scan completed: 2026-03-14T14:45:00Z
- Residual data found: None
- Verification hash: SHA-256:e3b0c44298fc1c149afbf4c8996fb924...
Executed by: Deletion Orchestrator v3.2 (automated)
Reviewed by: [DPO Name] (for Art. 17 requests only)
| Failure Type | Action | Retry | Escalation |
|---|---|---|---|
| System unavailable | Queue for retry | 3 attempts at 1h, 4h, 24h intervals | Alert IT Operations after 3 failures |
| Permission denied | Log error, flag for manual review | No automatic retry | Escalate to system administrator |
| Referential integrity violation | Route to dependency resolver | Re-resolve dependencies, retry | Escalate to DPO if unresolvable |
| Partial deletion (some records failed) | Log successful deletions, retry failed | 3 attempts | Escalate to IT + DPO |
| Third-party processor non-response | Send reminder at 7 days | Follow up at 14 days | Escalate to DPO + Legal at 21 days |
| Backup system — cannot delete from active backup | Flag for next rotation cycle | Monitor backup rotation schedule | Alert if not completed within 90 days |
Deletion is inherently irreversible. Therefore:
| Metric | Target | Measurement |
|---|---|---|
| Retention expiry deletion completion rate | 99.5% within 30 days of expiry | Monthly |
| Art. 17 erasure request completion rate | 100% within 30 calendar days | Per request |
| Average deletion execution time | < 4 hours (end-to-end across all systems) | Per execution |
| Failed deletion rate | < 0.5% | Monthly |
| Backup deletion completion rate | 100% within backup rotation cycle | Per rotation |
| Third-party processor confirmation rate | 100% within 14 days | Per notification |
The automated deletion system generates a quarterly report containing: