The 24th of May 2018 saw the coming together of communities to combine efforts to address key challenges caused by the GDPR going into effect. Participants from companies, research groups and governmental departments came together to share research, concerns and insights relating the the enforcement of the GDPR. Through three workshops, participants were able tackle key questions and propose possible solutions.

The first session  saw the participants discuss approaches to self regulation and co-regulation in the context of standards, frameworks and best practices for Personal Information Management Systems (PIMS).

Standards Discussed

  • BS 10012 (updated 2017)
  • IS0/EC 27552 (2019)
  • IS0/EC 29184 (2019)


Frameworks and Best Practice key suggestions

  • Standardised PIMS taxonomy.
  • Decentralised open source platform  for PIMS
  • Trading platform where personal data can be traded.



In the second session, participants discussed the benefits and challenges of data portability .

Key Observations

  • People don’t often have the time to understand their rights and risks.
  • People should Understand Privacy Policies and make sure rights are actionable.
  • People want to know what you are processing, what attributes, what’s the purpose, where is it stored, who it’s shared with.
  • People sometimes think they are the only people with the right to control
  • People often have control over the data of others
  • People often rely on one person to make decisions on behalf of a group of data subjects.
  • People often rely on others they trust to respect their rights
  • People can be described in data held by services they’ve never used
  • People want to be considered when someone else is porting data about them
  • People are most comfortable with porting data between similar services
  • Default assumption that data portability only focuses on information shared between organisations organisations.


Key Concerns

  • People sometimes have competing individual rights and when data relates to multiple individuals they won’t always agree about porting data.
  • Can there be a working coexistence of property rights and privacy rights
  • How do you balance privacy concerns with PIMS
  • How does data that describes multiple people affect decisions regarding data portability.
  • How do you notify others that may be described by data
  • How do you make data shareable between people also
  • Should Personal Data be used by governments and regulators.



In the third session, participants examined how AI can be used in the processing of data and the explanation of algorithmic decisions.

Key Observations

  • Users trust decisions when decisions are explained
  • Observations pertaining to the origin of data are used to make key decisions when collecting data.
  • The GDPR’s right to an explanation means that AI has to be able to account for how it operates.


Key Concerns

  • There are issues regarding privacy in the context of data sharing
    • Concerns about the strength of anonymisation techniques
    • Concerns about Metadata relating to anonymisation
  • What if the data has historical biases how can we identify the its manifestation.
  • How should explanations look?
  • The effects differing explanation styles have on user perceptions


Go here for full report LINK