Reviving this thread, as our org is looking into this right now as
well (last minute, but still).
For me, a small fraction of user/customer events would be considered
private data (change name/email/etc.), and the rest are non-private.
The easiest way I can think of to be GDRP-compliant is to to use
symmetric AES encryption for just the private data. So encode those
event fields (name,email) with a user specific key (generated on user
creation). That way the event store and any read models are considered
"anonymised", and therefore don't contain private data. Same with
backups(!). You only decode the encrypted fields on viewing in UI,
using the user specific key (probably along with some other keys as
well, we will use three keys total).
When a user invokes Article 17 ("right to erasure") you throw away
that users key. Your system, as a whole, is now considered purged of
that private data, and you didn't have to change any databases or
Seems like a fairly straight forward way to go about it.