maffew
Well-known member
I know a couple of people on here did their GDPR roll outs for their work/websites not least [MENTION=6886]Bozza[/MENTION]
I have a reasonably understanding of data compliance and GDPR/DPA its always been associated with my line of work but want to put this out - your thoughts...
Upon trying to open an account, online, with a large multimedia company this week (purely to take advantage of an offer for new customers) I was very surprised when it told me that I already had an account. Enquiring how this could be, as I have been out the country since 2010, and I have a totally different phone number, email address, and physical address. They said they could verify the account was from 2006 and could I confirm my mothers maiden name and my address at this time. Well I said no, the postcode would be BN something but I have no idea on anymore than that. But firstly why have you still got my information from 12 years ago. And secondly why are you validating customers based on their name and DOB with 12 year old data. Its not exactly a proper unique identifier. Indeed I worked with a guy with the same first name, and exactly the same DOB (we were in fact born in the same hospital and lived a street apart, but I digress). Its not like it is the police, or NHS, or even a financial institution
I asked them to get a manager to email me, which they stated "a manager is not going to be emailing you back about this"
Well that got me annoyed. Mostly because I wanted to have a free offer. But actually that to me is to a totally unacceptable amount of time to hold someones data. Yes I know companys have to keep reasonable data for business purposes. Perhaps for validating car finance, or applying for a loan - even then I think 12 years is too much. Not withstanding the verification of who I am or was or might be is flawed
I might bring it to the ICO. To be honest I wouldnt even think that they could accurately exercise my right to be forgotten, as I wouldnt see how I could even validate that the DOB and Name of the account holder in a Brighton address 12 years ago was indeed me. (I am sure it was by the way, though I couldnt prove nor disprove it ). There is tons of legacy data around, I know, but to me this isnt acceptable. Nor is their response when I asked it to be escalated
Thoughts?
I have a reasonably understanding of data compliance and GDPR/DPA its always been associated with my line of work but want to put this out - your thoughts...
Upon trying to open an account, online, with a large multimedia company this week (purely to take advantage of an offer for new customers) I was very surprised when it told me that I already had an account. Enquiring how this could be, as I have been out the country since 2010, and I have a totally different phone number, email address, and physical address. They said they could verify the account was from 2006 and could I confirm my mothers maiden name and my address at this time. Well I said no, the postcode would be BN something but I have no idea on anymore than that. But firstly why have you still got my information from 12 years ago. And secondly why are you validating customers based on their name and DOB with 12 year old data. Its not exactly a proper unique identifier. Indeed I worked with a guy with the same first name, and exactly the same DOB (we were in fact born in the same hospital and lived a street apart, but I digress). Its not like it is the police, or NHS, or even a financial institution
I asked them to get a manager to email me, which they stated "a manager is not going to be emailing you back about this"
Well that got me annoyed. Mostly because I wanted to have a free offer. But actually that to me is to a totally unacceptable amount of time to hold someones data. Yes I know companys have to keep reasonable data for business purposes. Perhaps for validating car finance, or applying for a loan - even then I think 12 years is too much. Not withstanding the verification of who I am or was or might be is flawed
I might bring it to the ICO. To be honest I wouldnt even think that they could accurately exercise my right to be forgotten, as I wouldnt see how I could even validate that the DOB and Name of the account holder in a Brighton address 12 years ago was indeed me. (I am sure it was by the way, though I couldnt prove nor disprove it ). There is tons of legacy data around, I know, but to me this isnt acceptable. Nor is their response when I asked it to be escalated
Thoughts?
Last edited: