GDPR is vague, so you bump into things like [WayBack] Nick Craver on Twitter: “GDPR Erasure is fun, because you are required to disassociate the fact it happened as well, or at least disassociate it from the person. So when a regulator audits you, how can you prove you did it? Yeah let’s just ignore those pesky details.”
This seems to be a viable solution: [WayBack] Adam Surak on Twitter: “We’re removing everything and keeping hash of login/email… “
–jeroen