Making your use of personal data trustworthy

These PL&B International Reports focus both on privacy laws and the way that business uses people’s personal data. I attended two conferences in the last week which tackled the collection and use of personal data from different perspectives.

Companies increasingly use algorithms to collect, analyse and take decisions on the basis of personal data. Even if location data is in principle, de-identified, it takes fewer than four data points in 95% of cases to re-identify people and can do much harm, said Charlie Cabot, Research Lead, Privitar, at its In:Confidence Conference on 4 April in London.

“Humans and machines should work together doing what they each do best...There is a risk of humans over-trusting technology.,” explained Dr. Hannah Fry, (an Associate Professor in the Mathematics of Cities at the Centre for Advanced Spatial Analysis at University College, London) at the same conference. The driverless car is a concept for the future, but partnership between humans and technology is everywhere in the form of assisted driving, such as cruise control and warnings to prevent a crash.

She emphasized that algorithms are human constructions and there is always a risk from market pressure to speed up the deployment of a new or modified algorithm. Algorithms can provide benefits, as in the area of diagnostics via health apps. But we should avoid blind faith in machines. Humans need to retain qualities of empathy to assess a situation for factors which may not be written into the coding.

Every company is a data company to a greater or lesser extent, and behind all the data points are people. While companies increasingly provide more personalised advertising and services, and everyone likes “free” stuff, Jason du Preez, Privitar’s CEO, stated that “data can be weaponised under the guise of personalisation…our decisions can be influenced in this way.”

How to make your company’s use of personal data trustworthy?

Elizabeth Denham, the UK’s Information Commissioner, at her conference in Manchester on 8 April, announced the ICO’s Sandbox. This initiative is the first in Europe in which organisations developing innovative projects using personal data will have the opportunity to build on the benefits of the GDPR’s Data Protection by Design. They are encouraged to engage with this regulator to help ensure that appropriate protections and safeguards are in place. 10 organisations will receive the ICO’s support in the first phase. This win-win scheme will help:

  • these companies gain confidence that they are on the right track from the legal perspective so they can collect and use personal data with confidence, and
  • the ICO learns about the latest methods for collecting and using personal data in real world situations which will influence future policy-making.
    Companies will no doubt prefer this type of learning experience and avoid the verdict of Germany’s Federal Competition Regulatory Authority that Facebook’s methods of data collection is market abuse (p.1).

Making User Experience designers and researchers your allies

The starting point for collecting personal data is the way in which this process is carried out. I commend to you the news item, Canada clarifies the concept of consent, (p. 27) which provides seven principles for a more transparent consent process.

One of them is "involving user interaction/user experience (UI/UX) designers in the development of the consent process". These designers are central to the design of apps and websites and help make a user’s journey an easy and efficient one. Researchers assess whether the versions developed by the coders are understandable to the intended target group and feed back their findings to the managers and coders to ensure that the version released actually works from the users’ perspectives.

We look forward to meeting you in London, Dublin and Cambridge at one or more of our upcoming events - see below.


Stewart Dresner, Publisher

International Report 158

Lead story:

Sweden’s new data protection regime supplements the GDPR

Maria Holmström Mellberg of Cirio Law firm gives an overview of how GDPR provisions have been transposed in Sweden.

Contents also include:

  • Comment: Busy times for EU DPAs
  • UK secures post-Brexit data flow deals with nine countries
  • CPDP 2019: GDPR’s effects are felt far and wide
  • Germany: Facebook’s data collection is market abuse
  • Global data privacy 2019: DPAs, PEAs, and their networks
  • Bulgaria introduces a range of derogations from the EU GDPR
  • Poland’s new GDPR-style law
  • Nigeria regulates data privacy: African and global significance
  • Serbia enacts new data protection law
  • Managing international data breaches in practice
  • Ireland: 136 cross-border complaints by end of 2018
  • Organisations fall short on internal monitoring
  • Thailand adopts comprehensive new law
  • ICCA and IBA to issue guide on international DP arbitration
  • Poland imposes €220,000 GDPR fine
  • Canada clarifies the concept of consent