While we’re still waiting for a full response from Tesco, I wanted to tell you about a Data Protection Request that went right.
At the same time as making the original Tesco request, I also sent out a few other requests to some smaller businesses. Included amongst this group was a business that used to sell tickets and merchandise for music festivals. I already had a rough idea what data they held about me, but I wanted to test how well they handled a Data Protection Request.
Within a few days of receiving my letter, their Data Officer contacted me to confirm some details. A few days after that I was contacted again to say that they had found the data I was after and would be sending it on shortly. Soon after, it was sat in my inbox.
Not only had they sent all the data I was after, but they automatically suppressed my email addresses from any further marketing and asked me if I wanted the data deleted from their database.
I was really impressed by the way this request was handled. Not only did they communicate with me throughout the entire process, but they took steps that were not necessary to complete the task. This should be used by all organisations as a good example of how to handle a Data Protection Request.
Was there anything surprising in the data? Yes – the password I’d used for the website in plain text. Let this be a reminder to everyone, never use the same password on more than one site, and always expect your password to be visible to anyone looking at the database!
At the same time as making the original Tesco request, I also sent out a few other requests to some smaller businesses. Included amongst this group was a business that used to sell tickets and merchandise for music festivals. I already had a rough idea what data they held about me, but I wanted to test how well they handled a Data Protection Request.
Within a few days of receiving my letter, their Data Officer contacted me to confirm some details. A few days after that I was contacted again to say that they had found the data I was after and would be sending it on shortly. Soon after, it was sat in my inbox.
Not only had they sent all the data I was after, but they automatically suppressed my email addresses from any further marketing and asked me if I wanted the data deleted from their database.
I was really impressed by the way this request was handled. Not only did they communicate with me throughout the entire process, but they took steps that were not necessary to complete the task. This should be used by all organisations as a good example of how to handle a Data Protection Request.
Was there anything surprising in the data? Yes – the password I’d used for the website in plain text. Let this be a reminder to everyone, never use the same password on more than one site, and always expect your password to be visible to anyone looking at the database!
It's quiet in here! Why not leave a response?