...
Three roles GDPR sets out. GDPR did not anticipate SSI where the ultimate data controller is the individual. Individuals and Things will eventually be able to write to the ledger. Two policy paths, the only path today is permission write access. Driving toward public write access. Now, need to go through Transaction Endorser > Steward > you submit a proper transaction that is validated and it goes on the ledger. In public, transaction authors write directly to the ledger via the Stewards, with a fee (no commitment to Sovrin tokens or dates - only future possibility).
Revisions to the SVF. The legal analysis arrived at is to say, the role of the Sovrin Foundation is not as a data controller; transaction authors are the data controllers. The role of SF is something called a joint controller that does not have control; for legal purposes called a designated data controller. Stewards have contracts for SF. Transaction authors and transaction endorsers - SF transaction author agreement.