GDPR (niche thread)


From the ICO:

“Consent should not be regarded as freely given if the data
subject has no genuine or free choice or is unable to refuse or
withdraw consent without detriment.

It may still be possible to incentivise consent to some extent. There will
usually be some benefit to consenting to processing. For example, if
joining the retailer’s loyalty scheme comes with access to money-off
vouchers, there is clearly some incentive to consent to marketing. The
fact that this benefit is unavailable to those who don’t sign up does not
amount to a detriment for refusal. However, you must be careful not to
cross the line and unfairly penalise those who refuse consent."


Sorry that was meant to be @hip_young_gunslinger


Interesting - in previous stuff I read it seemed like this was exactly the kind of thing that wouldn’t be allowed. Do you have a link to where that’s published?


Well as always it depends what it is. If you’re buying beer from their website and then at checkout you have to opt in to their mailing list in order to complete the transaction, that’s not allowed.

If they’re offering free stuff in exchange for you signing up to their mailing list then that’s fine so long as it’s worded correctly. GDPR is mostly common sense.

I got that from their Draft Consent Guidelines published last year



I remember reading a specific example in one of the ICO publications about putting business cards in a jar in a bar in order to win a bar tab. It suggested that the only genuine consent you could take from that would be to be notified of the winner, not general marketing communications. Maybe that’s an issue of specific wording though - if you had a sign telling you you’d be added to a mailing list, it’d be legit?


Everyone’s tying themselves in knots about this and it’s gone from boring to funny to enraging.

As with everything there’s no way every situation will ever have an example, so if you think you’re doing something underhand, you probably are - and the emphasis should be on YOU to not do it, not on an endless document to tell you not to do it. If you don’t have that moral compass, then that’s really your (as in the general yiur) problem now


Penny seems to have dropped with various companies: looks like we can expect a whole bunch of inventive attempts to grab our consents in the next few months


Hmm - it depends because consent has to be obtained through ‘Affirmative Action’ (such as ticking an opt-in on a form). Not sure how the ICO would rule on whether or not putting a business card in a jar counts as affirmative action. I would argue yes but not confidently.


Yep. Like I said it’s mostly common sense.


I think this statement needs a little more scrutiny to be fair. I would say more likely if you think you may be non-compliant (let’s use a less value-laden phrase than “underhand”) then most likely you’re a) aware that the data you handle is probably personal and b) bamboozled by the lack of clarity you’re receiving about the legislation.

It’s a bit easy to fall into the trap of thinking that everyone this legislation applies to is primarily concerned with monetising the personal data of their customers. Even in cases where it’s technically true (as in the example of charities earlier) then there is genuine public good at stake, rather than the lining of someone’s grubby pockets. For my own part I work for a public sector organisation that processes a HUGE amount of personal data. We’ve been dealing with IG measures for as long as I can remember, GDPR is just the latest challenge, and the ambiguity inherent in these choices is absolutely real. And ultimately of course where you have doubts you err on the side of caution, and since we use personal data to improve services for our customers (you’ll have to just take my word for it, that is the only reason we could possibly have) that means we provide worse services than we could if there were better clarity.

But I’m sure that will come eventually.


A large part of cyber insurance losses are based around data protection regs. If your work has a policy it would be worth checking it and discussing with the provider.


Cheers, since I posted this thread my company has been way hotter on the topic than I anticipated and unbeknownst to me at the time our CTO had been working on it pretty extensively.


A data protection related issue/query here (from me as a customer, as opposed to an employee):

My girlfriend had a delivery due from the delivery company DPD on Friday, but they didn’t deliver it for whatever reason. She then received a number of notifications on the DPD app to say that the parcel will be redelivered on various different days.

She complained about this to DPD, and then someone from DPD replied and acknowledged on Saturday that they could see there had been lots of the changes on her account, and apologised and set a new delivery date. However, after this point my girlfriend then started receiving lots of emails (50 alone on Saturday) with confirmations of other peoples’ parcel deliveries or rescheduling of deliveries, including their names and home/postal addresses in each email.

So, somehow, any time that someone in the E3 postcode area has a delivery or re-schedules a delivery, then my girlfriend now gets an email confirming it (as if it is her delivery). She could even click on the link to reschedule the delivery if she was feeling particularly mischievous…

I had a (polite) rant with them on the telephone, and sent a couple of emails (which they have acknowledged and said that they have passed on to their IT team), but nothing more than that. My girlfriend is still receiving 10-30 emails each day of peoples’ names and addresses confirming deliveries. I’ve just sent them another email semi-threatening them that I will end up contacting the other customers directly to tell them what’s happening, or posting about it on social media unless they resolve it by tomorrow, to see if that somehow gets results.

Anyhow, in addition to the nuisance, it is kind of a big deal that they are somehow emailing out other peoples’ details in error surely? I’m not quite sure whether there is a proper form of action on who to report it to or how to get them to give a proper response or solution?

tldr shortened version: If you live in the E3 area of London, and have had a DPD delivery over the last few days, then we have your name and address (although unfortunately don’t have your parcels).


you can report it to the ICO


wow that is pretty fucking incredible fuck up by someone!

hope you get it sorted soon tho


Yeah, that’s a massive fuck up. I hope for them ‘pass it to the IT team’ means get on the blower to the ICO right away, because once GDPR kicks in they’ll need to report a breach like that within 72 hours. If they don’t report it, and fail to get a grip on this kind of thing, they’re exactly the kind of company that are going to get hit with a bumper fine.


Yeah, i think the better way to approach it is to adjust working practices that will enable a general improvement in the way an organisation goes about this kind of thing.

Probably a very obvious point but, when it comes to personal data, we’ve taken the approach of scrutinising whether we have justification for asking for a particular kind of taken. Not easy when you’re dealing with staff who have always done things a particular way and are certain they need the information and are at first unwilling to question their approach, but it has to be done. For example, we do safe and well visits, and on the form we fill in we used to ask for people’s titles, no reason why we needed that so it’s gone. We have also moved from asking for date of birth to simply an age range. The latter is actually much easier for our data team to work with anyway.


I had a phone call yesterday, and they said that it seems to be a driver issue at a particular depot. The driver(s) just kept using the same calling/delivery card every time they scanned to say that they weren’t able to make a delivery, instead of using a new/individual one. Which just somehow made them all linked up. Anyhow, they’ve instructed the depot to make sure that it’s done properly now, so hopefully it’s sorted now.

DPD then also sent a cookie with icing on the top with their logo and the words Sorry and my girlfriend’s name on the icing, so that was at least a nice mini bit of PR to apologise for their mess up. Still quite surprised at how easy a thing it is for something like that to go wrong though!


A cookie is always welcome!


I can’t attend any more “awareness” sessions on this.

I promise I’ll be careful with any data that falls into my hands just don’t make me do any more awareness.