As given here: Permanently delete a record it is not fully possible to remove data completely.
Then what do financial institutions do? Institutions that store authenticating delicate details? Even if those are encrypted and key deleted hard drive recovery services may recover the key. Also key may be stored in cache.
They will follow legal frameworks such as the GDPR or others relevant to their jurisdiction that dictate the organization's requirements for holding and securing data. To demonstrate my point you can see that even in the GDPR's Right to Erasure Request Form there is a clause stating that some data may have to be retained to comply with the Law, and the sensitive data mentioned in your question is the sort of thing these institutions would have to securely retain for a given time (e.g. a payment processor holding onto records of a payment in the event of a legal dispute).
Purging a given record from the entire organization immediately would be an overall cost ineffective task, as the data should be backed up in separate locations and to edit existant SQL backups would make it very easy for internal operators to deliberately or accidentally corrupt the files. In addition, reporting such incidents would be hairy as you have made a process where people are tampering (on schedule) with or deleting your backups!
Even removing 'ghost' records from a RDBMS can be difficult, as for instance MS SQL Server includes the command sp_clean_db_free_space which removes deleted records that are no longer referenced but still present in the relation, but Microsoft recommends to only run this during off-peak times (which a Bank or Payment Processor may not have a guarantee of). As a counterpoint, MySQL has a worklog detailing potential options for doing what you ask (within a given DB on the DBS) but I do not think any of these have been implemented as of yet.
Returning to my GDPR example, you can see that in their Checklist immediate purging of information is not even mentioned. I would say that the system your envisioning of immediate and permanent data erasure is not something most companies can afford to do as part of the day-to-day MO.
It depends on the precise requirement, which is typically driven by a compliance regulation like GDPR.
In the UK, the ICO (who regulate UK GDPR) has informally indicated that they consider data that has been "put beyond reach" to be deleted, so that you don't have to go back and strip it out of old back-ups. If you've deleted it, and don't intend to put it back or use it again, that is enough even if you could perhaps get it back with some work.
Where you absolutely positively have to permanently and irrecoverably delete data, physical destruction is the usual approach.
According your data disposal policies you can define. In addition to that You might have legal bindings as well. It always based on data you are processing. NIST 800-88 provide comprehensive details about media sanitization.
There are several for media sanitization methods available:
Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalog link to the data. The actual data remains on the drive. As new files are written to the media, the system eventually overwrites the erased data, but depending on the size of the drive, how much free space it has, and several other factors, the data may not be overwritten for months. Anyone can typically retrieve the data using widely available undelete tools.
more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods. A purging process will repeat the clearing process multiple times and may combine it with another method such as degaussing to completely remove the data. Even though purging is intended to remove all data remnants, it isn’t always trusted. For example, the U.S. government doesn’t consider any purging method acceptable to purge top secret data. Media labeled top secret will always remain top secret until it is destroyed.
is a process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools. When media is cleared, unclassified data is written over all addressable locations on the media. One method writes a single character, or a specific bit pattern, over the entire media. A more thorough method writes a single character over the entire media, writes the character’s complement over the entire media, and finishes by writing random bits over the entire media.
Degaussing :
A degausser creates a strong magnetic field that erases data on some media in a process called degaussing. Technicians commonly use degaussing methods to remove data from magnetic tapes with the goal of returning the tape to its original state. It is possible to degauss hard disks, but we don’t recommend it. Degaussing a hard disk will normally destroy the electronics used to access the data. However, you won’t have any assurance that all of the data on the disk has actually been destroyed. Someone could open the drive in a clean room and install the platters on a different drive to read the data. Degaussing does not affect optical CDs, DVDs, or SSDs.
But most successful data destruction method is destruction of media, It could be shredding, Incineration or Dissolving in chemical, crushing....etc.
In addition to that you can read SSD sanitization with this link.
(copied from CISSP official guide 8th Edition)
You are making a confusion between 2 different acceptions of what permanently delete means.
When you are speaking of secure erasure on a physical media, permanently delete a record means making sure that nobody will ever be able to recover it whatever forensic methods it could use. In this sense it could be required to rewrite several time a magnetic disk for example.
When you are speaking of removal of information from an application or web site, that just means that the information is no longer directly accessible, and that the current operational procedures will no longer restore it. It is perfectly acceptable that the information still exist on a backup media, provided the restoration procedure ensures that it will be removed before the backup data goes on line. Specifically, it is not required to dig among the application logs to remove any instance of the data. To even be more explicit, various laws could forbid such erasure from the logs, because they shall be kept for some time at the disposition of legal authorities.
