Dear HN,

What are the industry best practices for data deletion? Compliance rules stipulate that data can be permanently deleted when necessary, but backup policies stipulate that data can be restored if needed.

In this case, Atlassian ran what they called the "permanently delete" capability that is required to permanently remove data when required for compliance reasons. They quickly learned that they deleted the wrong data, and started the process of restoring it from their backups.

How do various regulators view this? A layman interpretation says that the data was not permanently deleted, because it was still in the backups. How to balance the two requirements?