Question
Under GDPR right-to-erasure, when a user requests deletion you must remove their personal data everywhere it propagated within the legal deadline (e.g. 30 days), then PROVE it. A single user's data fans out from an OLTP source through CDC into a lakehouse, gets aggregated into derived tables, copied into a search index and a feature store, cached, and lands in append-only event logs and immutable backups. Design a system that finds every copy via lineage, deletes or anonymizes it, and produces an auditable certificate of erasure — without breaking aggregate analytics that don't actually need the identity.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.