With the objective of controlling the spread of the coronavirus, the UK has decided to create and, in early May 2020, was live testing a digital contact tracing app, under the direction of NHS X, a joint unit of NHS England and NHS Improvement. In parallel, NHS X has been building the backend datastore, contracting a number of companies. While the second iteration of the app should integrate a more privacy-friendly design, the project has continued to be criticised for its potential to increase government surveillance beyond the pandemic and for purposes other than tracing the spread of the virus. While I share these concerns, I argue that equal attention should be given to the collaboration between NHS X and the private sector because it has the potential to magnify the illegal collection and sharing of data. Systematic enforcement of the General Data Protection Regulation (GDPR) in the private sector would disrupt the current dynamics hidden in plain sight.