The Ontology problem is one layer harder. The edges I'm describing are inferred i.e, risk scores, behavioral patterns, connections between a person and a geography. There's no standardized form for them and no agreed technical definition of what deletion even means. That's where the enforcement gap is sharpest and what my intention is in writing that piece.
Yes, but that is already legally required. If you aren't storing a name but storing a phone number, and somebody has asked you to delete his personal data, you have broken the law.
Your phone number is personal information, so they are. They aren't allowed to save your phone number from your friend's phone scan in the first place.
Doing that kind of thing is a serious crime. In Sweden it'd be something like "unapproved intelligence activity against a person" with a multi-year prison sentence, since you're gathering data about someone by deceptive means. We're thus not talking about GDPR any more, but about prison sentences for espionage-adjacent stuff.
The Ontology problem is one layer harder. The edges I'm describing are inferred i.e, risk scores, behavioral patterns, connections between a person and a geography. There's no standardized form for them and no agreed technical definition of what deletion even means. That's where the enforcement gap is sharpest and what my intention is in writing that piece.