For publishers with complex data needs, current technology simply hasn’t caught up to GDPR’s stringent requirements. For example, publishers collecting uncategorized voice or video footage of individual citizens would have an extremely difficult — if not impossible — time complying with Right to Erasure cases, in which they need to locate and delete all identifiable data pertaining to a particular person.
What to do?
Instead of obsessing over the impossibilities and maybes, focus on what you can control: understanding your data deeply — what it is, where it is, where it’s going and what its limitations are. Only by getting to know your data better than ever will you be as equipped as possible
Focus on codifying policies that govern data access and delivery. Rather than asking someone to determine whether Jane Doe should be able to access the latest financials in her Amazon Web Services (AWS) environment, implement a system that combines the identity of the requestor, attributes of the data and nature of the request under well-defined business policies. Does the data contain EU citizen data? What is required to secure an AWS environment? These are much more important questions than any one request. Defining these policies enables organizational data flows that satisfy regulatory and business constraints.