How critical is Identity and Access Management to GDPR Compliance?

The somewhat radical, but underlying philosophy of GDPR is that enterprises must enable individual data subjects (EU citizens) to control their own Personally Identifiable Information (PII), and grant or withdraw permission to store and use such data. Certainly, appropriate processes and technology are essential to protect the data “by design and default,” but the question remains – how can enterprises keep track of all the data subjects and their PII data?

I propose that Identity is at the heart of the matter.  How can an enterprise:

1. Know who all data subjects are and what personal data is being maintained?
2. Know what rights of data use each data subject has granted? 
3. Know PII data elements are being maintained and processed for each data subject?
4. Enable data subjects to edit (rectify) any of the data elements being maintained?
5. Allow each data subject to grant or withdraw consent?
6. Securely authenticate and authorize data subjects when they desire access to their PII?
7. Guarantee that only people with legitimate need-to-know can access PII?
8. Enable data subjects to request erasure?
9. Audit and certify processes for consent, use and erasure?
10. Notify data subjects of any breaches?

There are probably more reasons, but this list is a start. In my opinion, Identity at the heart of effective GDPR compliance.

By the way, as of today, there are only 300 days left.