I have a new requirement to delete sensitive data when requested by the user.
The problem is that the system is complex and there is a lot of existing data in the system and they are all related.
If I simply do a cascade delete, it can easily affect how other functionality might operate in unpredictable ways.
How should I handle this situation? Should I actually delete the rows or can I just go through the system and find the data I need to delete and clear them from the rows and then mark each row as deleted.
The second option would probably be safer but it could be argued that even through the data is stripped, there is still some evidence that the user entered the system because the rows still exist.