This letter seems like a nice way to sell UMA to industry as core to both compliance and customer satisfaction. How many of the issues raised in this letter would be solved by outsourcing to a patient-controlled authorization server?

https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/