The fact the deletion is at all needed speaks for a pretty terrible design. The data should simply not be permanently stored.

I have quite a lot of experience dealing with personal identity information. Unless the latter has to be reported then it's never stored. Along with the fact it's actually deleted to comply with GDPR and friends (when it has to be recorded). In any case if any personal data is to be stored, it's always encrypted with personal keys.