I really didn't want to write a blog about GDPR as everyone I know is fed up with it but my experience this evening has made me wonder whether anything has actually changed.

For the last few weeks I have been receiving emails telling me I had to opt in, emails telling me I had to opt out and privacy policies from businesses I don't have anything to do with.  I have read a fair bit about GDPR and, like other small business owners, have done what is right for my business.  I know I am not the only one who has had enough of reading about it, hearing about it and doing it.  Most small businesses were already protecting personal and sensitive data anyway and many do not bombard everyone they have ever met with emails or newsletters.

One of the things I grasped from GDPR is that you can only collect and retain personal and/or sensitive data which is necessary for a particular task.  

GDPRI recently purchased a gift online and was taken to the Paypal website where I could pay by card.  Paypal would not let me continue without adding a phone number and an email address.  The latter I can understand because I will be emailed a receipt.  But are Paypal really going to ring me?  Or will they be passing on my contact details including telephone number to someone else?  They shouldn't, but how easy is it for me to track where my information has gone?  Once I had added my details I then had to tick a box to say I had read the Terms of Engagement, the Privacy Policy and agreed to my details being shared with a third party (although not the merchant).  There was no way to make the purchase without agreeing to this.

Surely this doesn't meet the new data protection regulations?  The new regulations are about only collecting the information that you need.  Paypal is a payment service and has no need of my phone number and therefore shouldn't be collecting it.  I know small businesses have been working very hard to meet the GDPR requirements and doing the best they can with limited resources but large organisations seem to continue to be doing things which don't appear to be in line with the new regulations.

Has anyone else experienced this?

Many years ago I entered for a business award.  I could not enter unless I added my phone number - and it had to be a mobile number.  I could not enter my work landline which would have been the more sensible number to contact me on.  After that I received frequent PPI and other annoying sales calls to my mobile. My number had very obviously been shared by this organisation.  It is much more difficult to opt out of these phone messages than it is to unsubscribe from emails.

Today I was called 3 times by the same company within the space of an hour.  I asked where they had got my details and they said from Google.  Businesses need to provide their contact details online in order for customers to reach them but sales calls and emails will no doubt continue because our details are available for anyone to use for cold calling and emailing.

I am hoping that, as GDPR beds in, businesses will begin to review the information they request and start limiting what they ask for to just what they need and that hopefully these cold calls will begin to get less.