[jskdvsksnb]

I worked on a compliance effort for a large-ish American tech company. Imagine a lot of boxes and arrows diagrams and plausible deniability. I was told we had to "balance risk", which in practice meant all data was available to everyone with no governance strategy. It was impossible to enumerate all the places data might be collected and stored, let alone find the appropriate person to handle the deletion request. We ended up basically handling the "happy path" and pretended the known unknowns didn't exist. This gave everyone enough plausible deniability to say "well the policy is X" with no means, technical or otherwise, of checking compliance.