How to do right-to-be-forgetten right (IMHO)
– Create an identity store (with atleast known ids and proxies for ids)
– Create a key pair per identity
– Encrypt private data with the public key
– Decrypt private data with the private key (along with RBAC, Audit, logging and time bound access token)
– Delete the private key when the user exercises his right-to-forget.
– Remember the user’s decision and continue to encrypt private data that comes in future (however this time there is no way to decrypt.)
Note : identity registration, store, public key access for a given id can all be services which may be done in a centralized system. However decentralize encryption process and also the deduplication process for establishing an identity against all known proxies.