There are probably others going the rounds as well. Prefacing what I'm going to say with IANAL (I am not a lawyer) it makes sense to apply some rationality to this and maintain the proper borders between organisations. In general I do not believe that anyone has to promise to any one else, including the Government that they are going to obey the law. Extra contractual conditions won't provide any kind of indemnity to either party, remember that organisations that supply data have a duty of care to both the owners of the data (individuals), and whoever they share it with, that they indeed have the necessary permissions. There could potentially be a lot of 'indemnities' swapped around. But of course they mean nothing.

The same really holds true on being asked for copies of policies, procedures or even implementations. This isn't new behaviour there are some companies that seem to love forcing their own procedures down suppliers or even customer's throats. Being asked for the details of ISO 27001, the procedures for generating, holding and rotating keys and so on. Each one of these requests can be managed with a blanket 'We maintain and regularly review our policies in this and other areas in the light of Best practice and Regulatory conditions applicable at the time, this includes any legal requirements. The specifics of our policies, procedures and implementations are naturally commercially sensitive and are not to be shared.".

This is especially true over a right of audit. Unless the specifics of handling data can be entirely separated by supplier or third party it would be very difficult to allow third party audit without also exposing other data to which they had no reasonable access.

The last two points, contractually requiring or appearing to place the burden of performing the mandated deletion or forgetting of personal data, are going to be awkward for both supplier, third party and the owner of the data themselves. No organisation is going to want to have the unmitigated risk of a third party not being able to effectively delete or forget the data they've had, but this in no way absolves the data collecting company from their own obligations. There are practicalities around the deletion and forgetting of data which can mitigate some of the risk but first think about the shared risk of a collecting company and third parties that they may use to process, transform or manage that data for them. Those third parties are not just companies like Cambridge Analytica (who never needed identified information anyway), but any kind of service or processing organisation, lawyers, accountants, consultancies, outsourcing IT, off shoring, marketeers, job services, SaaS applications, on and on. All of them will have a shared risk.

Unlike Operational Risks, Business Risks should be singletons. If there isn't one policy, procedure, implementation in place, but many and those are determined by contract; there will be failure. The decision tree for making this sane is fairly obvious but there's a couple of things that might not be.

• This is a Trust process so be transparent about what can be transparent, and transparent about where the borders are.
• Ask the same Transparency of your Supplier, Customer etc 
• Eliminate the possibility of being able to use aggregated data before exploring needing to share Personal Data.
• Still before sharing Personal Data explore thoroughly pseudonymous data (really)
• Before giving access to Personal Data explore the options of Escrow, the only copy of the data is managed possibly by one third party whose business is providing this service and has no interest in the data itself. (Just like any other Due Diligence process between tow or more parties).
• If you do have to share data do not (that should be in CAPS), DO NOT ship data but control access. This can even work for the 3rd party processor if they have to take the data set. But they don't do they?
• Deletion, Forgetting and Archive. Agree what they mean before you start doing this at all.

On the last point, which I want to elaborate on in lots of detail one day soon, it's important to not get bound up in definitions of Deletion, Forgetting and Archive that require adjusting the laws of Physics. The regulation so far, describes all of these states in terms of availability to the 'System' and access or use. Those are the states to concentrate upon. There are complications relating to Archive and legacy systems of many years standing but there are also ways of handling them.

My initial response was:

Because it is straightforward to not engage in writing systems and applications that can be used to aid prejudice and foster division but its very hard to avoid modelling and designing into data stores categorisations that can be used in ways which are prejudicial to the owners of that personal data.

But what about needing to know who is affected by this or that prejudice and persecution so we can protect them and improve their lot? Surely we need to collect information to identify those parts of the population that need help? But do you need to count in order to know what is the right way to treat everyone? Is counting and identifying itself the wrong?

For specific needs does someone really need to identify themselves as disabled, or are they really an individual with a requirement?

Personally, I don't categorise myself in any ethnic, religious category on any form and would avoid gender and age if I could. As a modeller, architect, would I argue against collecting this data? I would now. 

I would employ all the arguments about not collecting personnel data unnecessarily. Does your application/system require gender to be relevant? Really? Age? Should the provision of public services need ethnic data? And so on.

Really ask if each one of these metadata categories is necessary, bear in mind that each of the categories will likely be from a control list plus 'other' perhaps. What purpose will be served, if its for some broad population statistical use ask how does this category give meaning ful information that actually matters in a statistic. Take Male/Female (I won't fall back on self described gender issues to begin with the traditional simple case should suffice), how does it help knowing someone ticked either box? Will they buy or be interested in a different product or service? Will they want different information, will the content be filtered?

If the answer is yes I'd ask the question, so you wouldn't sell to someone of the wrong gender? Would you only show pink bikes to girls? Carbon fibre drop handlebars to boys? I'd hope not, so how does your case differ?

Are the services, products and information that I'm interested in in any way absolutely connected with my age, gender, ethnicity, mobility? I don't think so. The actual services, products and information might very well have particular characteristics that I want to filter and search by but not necessarily because I possess or share those characteristics.

If you're building recommenders why limit or filter or weight your recommendations based upon any of these largely loose non-authoritative categories? Isn't the behaviour and content far more important. Quite a while ago now, over ten years, we were involved in building a streaming personal video platform and the Advertising people wanted us to include something like 200+ questions on the user's likes and dislikes. That got rejected fairly quickly just in contemplating the registration funnel but it did betray the then assumptions about how to collect and slice and dice population data. Analyse the individual, get as much stuff about the individual from the individual and apply that to the content, product or service. It came straight out of the publishing industry with the cards for subscribers to punch or circle their characteristics.

Now of course we apply it the other way round, the behaviour of the individual and their peers or group, their history of success and failure or abandonment, the content/product/service chosen by that group along with many other dimensions of behaviour to new and evolving content, products and services, all that Big Data stuff. And we don't really need all that categorisation up front, in fact it could skew the results badly. 

But for those organisations whose data sets were modelled and collected well before this Big Data magic and they had all this carefully researched (or not) data, has it been reevaluated? Or is it sitting there in the rest of the data but consciously or unconsciously splitting your data sets into what might be irrelevant and even misleading subsets.

I think a great many of these characteristics should not be collected and stored and they should all be reevaluated periodically. I include official forms in this, actually I especially include official forms in this.