GDPR in the fast lane.

The Outsourced DPO has often compared data protection law to driving within the speed limit but a phone call last night changed that perception.

Driving home last night, the Outsourced DPO was mulling over a customer brief for a DPIA on a project involving facial recognition when he suddenly remembered that his car insurance ran out at noon today!  A quick call to Churchie rectified the situation and during the conversation, a 10% discount was offered for taking a telematic “black box”.  The Outsourced DPO made a mental note to request the privacy information about in-car telemetry to see what it actually does and the automated decision-making involved – but this blog is not about privacy information, the notion of a black box sparked the Outsourced DPO’s thoughts about accountability in the GDPR.

Every couple of seconds, the in-car telematics box sends a host of information to the insurers’ database about the driving of the car including the location, speed, acceleration, cornering forces etc.  The policy owner may log into the database to review the data and see how the vehicle has been driven at any point in time.  So when the Outsourced DPO’s 17 year old son borrows the car, the Outsourced DPO is able to review his son’s driving both during the journey and periodically thereafter.  According to Churchie, the insurer will use this information at renewal to determine if a discount can be applied and in the event of a claim.  So, the little black box innocuously sits in the car reporting on the drivers’ every move to enable the insurer to determine, in the event of a claim whether, for example, the driver was driving erratically, or too fast, or in fact has exceeded their agreed annual mileage.

The Outsourced DPO has often compared data protection law with driving within the speed limit:  the law states that you may not drive any faster than 70 mph on a motorway.  You may chose to ignore this or to push your luck through non-compliance – but if you get caught, expect to be punished.  Many drivers weigh-up the chances of getting caught in the context of the specific circumstances at the time (e.g. they are late for work) and make decisions whether or not to comply with the speed limit.  The Outsourced DPO has encountered organisations taking a similar approach to compliance with data protection law but if in-car telemetry has shifted the balance of power for insurers, it seemed to the Outsourced DPO that the principles of accountability contained in the GDPR at Article 5(2) and in other places are in effect, a GDPR black box of sorts.

Controllers and processors must implement technical and organisational controls a) to allow their employees to process data in a compliant manner, and b) to enable it to be able to monitor compliance.  Both are legally required not only to be compliant but also to be able to demonstrate compliance, and as we know, compliance is about organisational behaviour.  The people processing personal data within organisations will either be processing personal data in a compliant manner or they won’t – and organisations will either be able to demonstrate compliance or they won’t.  In the event of a complaint, the ICO will request evidence of compliance and use it to determine if there is a case to answer.

My contact said that while he wishes to undertake a DPIA on his facial recognition project, management are reluctant to spend the money and potentially slow down the project.  Familiar story or what?!

I reminded him that it is a legal requirement to undertake a DPIA in several circumstances including using innovative technologies or technologies in innovative ways and when combining data sets.  This project seems to do both and therefore a DPIA is mandatory.  But it is up to the organisation and its partners to commission the DPIA – no one is going to tell them to do it.  My analogy is that the client is flying down the M1 at 105mph in rather a hurry.  They may not get caught disregarding the law during the journey, but with a black box installed, evidence of their non-compliance would be created and they may be held to account for their actions at some point in the future.

The same is true of the facial recognition project.  The client may well implement the new system without a DPIA but at some point, someone will want to know more about their use of the technology and will ask to see the evidence of GDPR compliance.  A copy of the DPIA will be requested?  If this technology is monitoring on a large scale, who is the DPO?  What is recorded in the ROPAs to describe the processing activities and is the processing fair, lawful and transparent etc. are all questions that will be asked?

It is my suggestion that the principles of accountability and the accountability principle within the GDPR install by default a “black box” into organisations.  They determine that controllers and processors are required to implement a record keeping system that evidences compliance and the monitoring of compliance – effectively the black box data – innocuously compiling information which may be needed if the organisation is called to account and required to demonstrate compliance.  As in the world of insurance, this black box data will be used in the event of regulatory action and claims as well as being useful in-running and during reviews.

Phil Brining

6th June 2019