Anyone engaged in the collection and sale of data should be required to maintain a list of their customers. Upon the sale of data, the customer should be required to provide their list to the broker. At the point of collection/consent, the list should be made available to the consumer.
For example:
You want to vote in an online poll by company A. Company A collects data about you and sells it, so you must agree to their privacy policy. Company A's privacy policy discloses that they sell your data to Companies B, C and D. Companies B, C and D have provided a list of its customers to Company A, and Company A includes those lists as well. In addition, the customers of those companies provide lists (as all data brokers would be required to do).
If its seems like it could get overly complicated with huge lists of data brokers for a simple online poll, that's the idea. You shouldn't have to wonder how many entities you're giving access to your information when, for example, you want to vote for MLB All-stars. MLB wants your name, address, email, phone number, and they disclose they'll "share it with partners" but they don't say who those partners are, how many exist, and if they have their own "partners". Vote for your favorite player and you could be getting a phone call for life insurance 15 minutes later after your number has been passed through 5 different companies.
CCC has a longstanding policy demand called the "Datenbrief" ('data letter'). Under this proposal, every corporation that keeps personal information about a natural person would be obligated to, once a year, mail the subject a letter containing their information, with instructions how to exercise their existing statutory deletion/correction rights.
If you keep PII, you'd also need to keep some contact info for the subject, and use it to ensure they know about their rights / the data. The existence of the data-related right would imply an obligation to inform the subject about it.
I guess I'd prefer a web interface displaying all the data holders with little "delete" buttons, over getting a gazillion letters, but if this is implemented by a single organization that actually has all your data (even if only for the purpose of faciltating GDPR), it could be a central point of failure.
For example: You want to vote in an online poll by company A. Company A collects data about you and sells it, so you must agree to their privacy policy. Company A's privacy policy discloses that they sell your data to Companies B, C and D. Companies B, C and D have provided a list of its customers to Company A, and Company A includes those lists as well. In addition, the customers of those companies provide lists (as all data brokers would be required to do).
If its seems like it could get overly complicated with huge lists of data brokers for a simple online poll, that's the idea. You shouldn't have to wonder how many entities you're giving access to your information when, for example, you want to vote for MLB All-stars. MLB wants your name, address, email, phone number, and they disclose they'll "share it with partners" but they don't say who those partners are, how many exist, and if they have their own "partners". Vote for your favorite player and you could be getting a phone call for life insurance 15 minutes later after your number has been passed through 5 different companies.