So here is an idea about deleting accounts. Usually people may want to undo it sometime but if it's deleted it is deleted.
One of the things required by the GDPR is a way to export your data and even import it (article 20, right to portability). So you should implement a way to do that.
Then when users ask to delete their account, create an export, encrypt it with a one-time use key which you mail to the user, store this encrypted dump and remove the rest of the data. Now if the deletion was an error the user can get their key in their email and get their account reinstated. And no one in your company can access the data in the meantime.
Technically very smart solution, but legally way too risky.
If there's ever a breach, for example someone steals the key and then accesses the data, the fine will be super high given that the company has retrained data after the user asked to delete it.
To mitigate such risk, the company would at least need explicit consent of the user, at which point it's just as simply asking the user to not really delete their account.
A viable option, legally speaking, could be to send the dump to the user, in a way that can be easily imported back if the user ever wants to login again.
> for example someone steals the key and then accesses the data
It was why I schemed it so the key is sent to the user but not kept by you. Someone steals the user key? They can ask for a restore but they won't have access to the data unless they've got the user login info too. An employee steals the encrypted data? Enjoy the time spent cracking the cryptography.
A little like one of the solutions for deletion in Event Sourced systems but instead of completely losing the keys, you give it to the user first.
One of the things required by the GDPR is a way to export your data and even import it (article 20, right to portability). So you should implement a way to do that.
Then when users ask to delete their account, create an export, encrypt it with a one-time use key which you mail to the user, store this encrypted dump and remove the rest of the data. Now if the deletion was an error the user can get their key in their email and get their account reinstated. And no one in your company can access the data in the meantime.