1. 2

I have the feeling that there is a lot of uncertainty in the developer and startup community, and among the US audience, regarding GDPR. I have been involved in my company’s entire compliance process, from legal research, to setting up the data processing register, to educating employees, to modifying systems and processes. Maybe I can help. I have a developer and entrepreneurial background (I am the author of Passenger). Ask me anything.

Note: this AMA is also on Reddit, where you can see more questions and how I answered them: [1], [2], [3], [4], [5]


  2. 2

    How does your company deal with authenticating users behind GDPR requests. Let’s say I receive a mailed and signed letter from Bob Marley, asking for his personal data. How do you authenticate the user?

    Even more importantly, how do you authenticate people behind deletion requests?

    Do you rely on email? In-person ID presentation? Scans of government-issued IDs?

    If I am asked to delete or deliver someone’s data, I want to be sure it is that particular person making the request. In the real world you can ask for a photo ID and compare the picture. Online, it’s a bit harder.