There’s also a grey area around accountability and proof of data-handling compliance. “The GDPR requires that you can show evidence that you’ve received a request and taken action in an appropriate timeframe,” Klassen explained.
And that, he explained, carries its own set of new privacy considerations, many of which will be challenging for U.S. companies looking to comply with the regulation.
“It gets tricky,” he said. “When an individual makes a request, the company has the right to ask for proof of identity, because after all, that could be catastrophic if they erase the wrong person’s information or return a different person’s information. So for instance, Google requires you to take a picture of your passport—then the question becomes whether you’re giving them information that’s more sensitive than the data you’re looking to access.”
Further, companies can’t erase that proof of ID.
“A data subject can say, that wasn’t me, prove that it was,” Klassen explained. “So if they don’t have that proof, they’re in trouble.”
Ugh! My head hurts thinking through all the technical problems created by this piece of legislation that was most likely created by lawyers and bureaucrats without an understanding of technology or process. I can't even get a straight answer as to whether my simple blog needs to be compliant nor can I afford to pay a lawyer to answer that question. And even if I needed to be compliant, I am certain it would have a financial impact on my ability to operate this website.
You're a photographer in an E.U. member country. You snap a photo of someone or group of people in public or at an event. You get signed content to use the image for news reporting or your website. The image is published in a newspaper/magazine/website. One of the people in the image later object to its use and wants the image removed. What do the photographer and publisher do? How do you recall and destroy all copies of the newspaper or magazine? How do you ensure that the online image has not been downloaded and copied elsewhere by people /entities you have no control over?