A site (or business) can store personal information based on the individual’s consent. This consent is given when the person enters the info.
The problem is if the person changes their mind - then the lawful basis of data processing is gone. Anonymizing (is that a word?) the data could be the best way to solve this after someone requests account deletion.
So best would be if one could argue ANOTHER basis for the processing, not consent. From memory some grounds for data processing are: it is necessary for performing the request/contract, certain interests etc. others are related to public interest, legal requirements etc.
The other possibility MIGHT be that the consent could be written in a way to enable deactivating accounts while info remains (posts, stats) etc. this could also be sensible since there is the conflicting side of the coin of keeping records and not destroying possible evidence etc. I would aim to have a consent that basically states that anything done while an active member remains on public side and IP etc is inaccessible to admins (is it?) after deactivating the account. The right to be forgotten/anonymize could maybe be done by admins by changing the user name to a random string when deactivating the account.
Anonymized data can be stored and processed. So it is a question of wether the user info is obscured enough “behind the scenes” for full compliance with the regulation this way.
Since we don’t have any case law yet, it will not be possible to say with certainty how these purposes will be interpreted. But the aim of the legislation is to ensure privacy and secure data processing, not to hinder normal accepted activities... that said, it is a mess until we get case law or country specific legislation in EU.
Disclaimer: I’m a lawyer and have attended a few courses on this, but don’t have my material with me when writing. This is not legal advice, etc
