Is The GDPR Fit For Purpose?

By Myles Dacres

The Outsourced DPO noticed two great stories on the BBC about emerging or soon to emerge technologies this week.  These stories sparked a Teams debate amongst some of our consulting team which fortunately we recorded and may publish as a podcast soon.  The first story was about Microsoft filing a patent to record and score meetings based on body language.  The patent application contains a drawing depicting a bunch of sensors in a meeting room to capture and analyse factors including facial expressions and body language.  Whether this patent results in a commercial development remains to be seen, but there must be some motive behind it.

The other story was about Amazon’s Panorama box: a device that can be fitted to existing cameras which can then draw on off-the-shelf apps to read and interpret the images being processed, and take some form of action through automated workflow rules and business logic.  AWS Panorama is something which is available now and is used for functions like detecting vehicles being driven in places they are not supposed to be, tracking customer queues in shops and the like.  Fender guitars currently use it to track how long it takes for an employee to complete each task in the assembly of a guitar.  Follow this link if you want to know more about the product

The big question debated by the team at DPP was the extent to which the regulation of the use of “personal data” is up to the job of effectively controlling the use of these technologies.  The TUC recently published a report on technology-based monitoring in the workplace which throws up some interesting concerns and remedies, but this kind of technology is not contained to the workplace – if it’s in use in shops to monitor queues and public places to detect traffic violations it inevitably has the potential to affect ordinary citizens.  In addition, AWS Panorama is an augmentation for internet protocol (IP) cameras which this morning were selling for as little as 99p on E-Bay so the cost of technology is unlikely to be a barrier to wide-spread adoption.

As this is new technology or in the case of AWS Panorama, existing technology deployed in innovative ways, using it to process personal data is subject to a data protection impact assessment (DPIA).  But the Outsourced DPO has mixed experience of DPIA: some being a highly detailed critical analysis, and others being a superficial tick-box exercise obviously lacking understanding.  One concern raised in the TUC report is that the interests of workers is often overlooked when AI is rolled out at work.  This should not happen in an effective DPIA process.  The report also cites a recent Ipsos survey conducted for the European Commission which apparently says that a whopping 42% of enterprises currently use at least one AI technology.  Wow!  That if that is an accurate reflection of reality it represents an awful lot of DPIAs that have been carried out.

The DPIA process in itself is a great tool and, coupled with the requirement to enter into consultation with the supervisory authority prior to rolling out processing which remains high risk even following DPIA mitigation it has the potential to act as a brake or at least an effective check on badly conceived implementations.  The ICOs regulatory sandbox is another great tool allowing enterprises to discuss and explore concepts with the regulator.  But the necessary vagueness of the language used in the law could be its weakness.  One person’s high risk is another’s medium risk.  A DPO with a technical background may conduct a better DPIA than one without.

What we really need is society and culture to change.  The DPIA is only as good as the people undertaking it and they are only going to work within the social constraints and norms they recognise.  We need data protection and privacy to be given the same high regard that health and safety and other disciplines enjoy.  In time DPIAs will be an integral part of decision making and front-loaded into projects and initiatives.  They won’t be the preserve of privacy practitioners – everyone will be able to do one at some level.  But at the moment it seems that there is a rush to try these new technologies out to push the boundaries and find out what they can do.  Sadly, their privacy implications appear to be of less concern.

Philip Brining – Director – Data Protection People 

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021