Many industrial companies measure the operational environment at massive scales now using multimodal sensor networks and platforms thanks to plummeting sensor costs -- LIDAR, hyper-spectral imaging, video, RF/radar, audio, remote sensing, chemical and particulate sensors, et al. The exact mix and scope of coverage varies with industry and company. Sectors are diverse and include automative, utilities, agriculture, oil and gas, logistics, etc. The sensor data is primarily used to manage risk, increase efficiency, improve safety, adapt to changing conditions, respond to incidents, do preventative maintenance, and similar.
Any sensor platform that can detect the existence of an entity in space and time and is measuring space where people exist, which is most of them, is collecting personal data. A sophisticated party can reconstruct the identity of detected entities in the sensor data in a straightforward way. Typically, the sensor coverage inherently collects data on a large number of people from which it is impossible to obtain consent, whoever happens to be within or wanders into the sensor range. The detectable people in these sensor data models are analytical by-catch. I've demonstrated this to many organizations using diverse exhaust from industrial sensor systems never designed for that purpose.
Some of these data models are incredibly large and fast moving, petabytes per day. Many of them collect data in federated environments that are severely bandwidth-limited and energy restricted; while the data model is very rich, there aren't enough local resources to do anything outside the designed scope. You can neither push compliance operations to the data, since there isn't enough compute, nor can you backhaul it to someplace that does. The aggregate data models can exceed an exabyte, so you aren't indexing where people are (that would be incredibly expensive) and any attempt to brute-force search to identify people for compliance purposes would effectively be a denial-of-service attack on the system.
tl;dr: the scale and scope of external environmental sensing platforms increasingly used by industrial companies inherently allows you to detect the locations of many people in space and time that are unrelated to the business operation. The necessary scale and operational architecture of these systems make GDPR compliance technically implausible.
Any sensor platform that can detect the existence of an entity in space and time and is measuring space where people exist, which is most of them, is collecting personal data. A sophisticated party can reconstruct the identity of detected entities in the sensor data in a straightforward way. Typically, the sensor coverage inherently collects data on a large number of people from which it is impossible to obtain consent, whoever happens to be within or wanders into the sensor range. The detectable people in these sensor data models are analytical by-catch. I've demonstrated this to many organizations using diverse exhaust from industrial sensor systems never designed for that purpose.
Some of these data models are incredibly large and fast moving, petabytes per day. Many of them collect data in federated environments that are severely bandwidth-limited and energy restricted; while the data model is very rich, there aren't enough local resources to do anything outside the designed scope. You can neither push compliance operations to the data, since there isn't enough compute, nor can you backhaul it to someplace that does. The aggregate data models can exceed an exabyte, so you aren't indexing where people are (that would be incredibly expensive) and any attempt to brute-force search to identify people for compliance purposes would effectively be a denial-of-service attack on the system.
tl;dr: the scale and scope of external environmental sensing platforms increasingly used by industrial companies inherently allows you to detect the locations of many people in space and time that are unrelated to the business operation. The necessary scale and operational architecture of these systems make GDPR compliance technically implausible.