As part of SOC 2 preparation (and just general operational best-practice) we take regular PostgreSQL backups and keep them for up to a year. One of our partners has a requirement that we be able to delete any data sourced from them on request, including from backups. The GDPR right to be forgotten would seem to imply a similar requirement (although from my Googling this seems to be debatable).
It seems impractical and potentially very expensive to load all of the database dumps for the last year, filter out the data, take new dumps, and replace the existing backups. Most of the data in question is stored on Heroku, where we don't have write access to update the backups (although we can delete them on request). Are there systems available to deal with these kinds of requirements? How do other companies deal with this (presumably quite common) requirement?