5 Common Misconceptions Around the GDPR Within the Automotive Industry

19. April 2023

The General Data Protection Regulation (GDPR) is designed to ensure that companies and organizations handle personal data with care and respect for the privacy of individuals. Considered one of the strictest data protection regulations in the world, it applies to all companies and organizations that collect, process or store the personal data of EU citizens. The GDPR imposes significant fines for non-compliance, so it’s essential to fully understand the rules. Failure to do so risks damaging your reputation as well as your bottom line. Let’s take a look at the five most common GDPR misconceptions in the automotive industry.

Misconception #1: ‘Data minimization’ means there is no need for anonymization, because we need all the information we collect.

One of the GDPR misconceptions in the automotive industry surrounds data minimization, the key principle of the GDPR. It means that companies are only allowed to collect, process, and store personal data necessary for a specific purpose. They should not collect more personal data than they need. And they should not keep personal data for longer than necessary.

The whole point of data minimization is to protect people’s privacy by ensuring that companies do not collect and store more personal data than they need, and that personal data is not used for purposes to which the individual hasn’t given consent.

Yet this doesn’t circumvent the need for anonymization. You are obliged to anonymize any personal data you don’t use or need for the intended purpose. 

For example, say you are developing ADAS, you’re going to need a lot of video data. Yet a lot of the time, you only need to collect the body movements or actions and activities of surrounding cars rather than real faces and license plates. Since they are not required for your ultimate purpose in collecting video data, you need to anonymize them.

Misconception #2: There is no risk or interest in identifying individuals in large datasets.

All data has an inherent value either to the individuals themselves or to third parties. If the imagery is collected in public spaces, such as streets or parks, for example, people still have an interest in their own privacy and the ways in which their own data is used.

And even if you, as the data collector, don’t have an interest in specific individuals, are you in a position to understand any repercussions on somebody’s life if they are spotted in sensitive areas they may not want to be seen in? The GDPR assumes not.

Then there’s the fact that any third party with access to a data set or video data could have their own motives to identify people. There could easily be a scenario where a researcher or member of the press trawled through large data sets either out of curiosity or to identify a subject (see PimEyes) deliberately.

Misconception #3: Encryption is a sufficient method of anonymization.

Rather than being considered as anonymization, the GDPR classifies encryption as a form of pseudonymization. That basically means personal data that has been rendered unusable, yet at the same time retains an identifier allowing the data to be unlocked at a later date.

Even if you destroy the encryption key, a determined party can still find alternative methods of breaking the encryption. Even if the code is too complex to crack now, who knows if that will remain the case in the future?

Misconception #4: The company placed information stickers on the vehicles collecting the video data.

If you think that warnings are enough to receive implied consent as a legal basis to process the video you collect, think again. According to the GDPR, you must receive affirmative consent to process data. Merely seeing a sticker on a vehicle or a notice on a website is not considered the same thing and so fails to provide a reason not to anonymize your data. In our experience, gaining affirmative consent is simply not feasible in ADAS video collection, as it would be impossible to track down every single individual appearing in the video footage to gain their written consent.

Misconception #5: The video is only being used for internal purposes, so there’s no need to anonymize it.

Even if you’re processing and using personal data only for internal purposes, the failure to anonymize faces and license plates opens up the possibility that either an employee, never mind a malicious third party, could access the data and recognize individuals.

As we’ve already stated above, no data collector or processor is in a position to judge what may or may not be sensitive to any individual – although the GDPR does list sensitive areas such as hospitals, religious institutions, and other private places. The point is that someone could be compromised, even if that’s not intentional, which could lead to issues for them and, ultimately, for you in the shape of fines, reputational damage, and disruption to your collection/development activities.


So there we have the five most common GDPR misconceptions in the automotive industry. And as we have seen, none negates the use of GDPR – including the concept of data minimization, which can give companies the impression that there is no need for anonymization as long as they collect and use data for a particular purpose.

When you can’t avoid the need for anonymization, you want to be sure you use the most effective method possible. After all, any compromise on quality can negatively impact machine learning and AI-based systems such as ADAS.

brighter AI’s Deep Natural Anonymization (DNAT), is the only fully compliant anonymization software on the market, as well as the fastest and most accurate. Based on generative AI, this unique technology creates synthetic faces and replica license plates that prevent the original subjects from being recognized. This helps ensure that you remain GDPR compliant and able to use your valuable data not only for your current needs or purposes but can also store data for later use.

Find out more about how anonymization drives the automotive industry forward in our whitepaper. 

Caspar Miller
Head of Regulatory