Delete personal data is not absolute.
What you need to know?
Deleting personal data is not an absolute, binary process. To remain compliant, organizations must maintain a minimal record indicating that a specific user's data was removed on a specific date. This is not about retaining data for use, but about retaining evidence of compliance.
This necessity is driven by two key regulatory requirements:
Singapore PDPA (Section 11): The Accountability Obligation under the PDPA requires organizations to be responsible for the personal data in their possession or under their control and to demonstrate compliance with the Act. Retaining a record of an erasure request is a standard practice to fulfill this obligation during an audit or inquiry.
EU GDPR (Article 17(3) & Article 5(2)): While Article 17(3) provides the exceptions where data must be kept, Article 5(2) (the Accountability Principle) mandates that the organization must be able to demonstrate its compliance with the regulation. If you delete all proof of the erasure, you cannot prove you complied with the request.
Practical takeaway for your operations:
When an individual asks for "total deletion," you are essentially balancing two legal pressures:
The Privacy Pressure: Satisfying the Data Subject Access Request (DSAR) to erase data.
The Accountability Pressure: Retaining a "log" that this specific erasure event occurred.
As long as that minimal record is stored securely, limited in scope, and used only for compliance demonstration, it remains the standard for robust governance.