Tonight on Inspector Morse – Morse finds out who sold his personal data using #GDPR laws!

As we all know, the new GDPR regulations have been annoying a great deal of people. Large business, small businesses, young, old, from all walks of life. In the same way, they have also been pleasing a lot of people; generally those who don’t have to lift a finger themselves to implement the new laws.

However, let it not be said that this is yet another useless law created by the overpowers in the EU in response to a public outcry over privacy, where most members of the public really don’t understand where the problems truly lie. No, this law is already getting results. This law is already making it harder for companies to obtain and use your data without your consent, even if that data has been held by said governments for decades in the form of birth certificates, medical records, tax data, National Insurance (or your local equivalent) data, etcetera, etcetera…

As I have recently proved, when I embarked on a crusade to discover why I had received a marketing email from the Red Cross to my work email address.

Allow me to set the scene (some of you may want to go and make a cup of coffee).

If you made this, you are normal

If you made this, you are a hipster

Spam, as we know, is the bane of our existence. And junk mail that you don’t want to receive is a close second. Anyhow, blocking junk email is both tricky and mostly pointless. Yes, email providers are getting better and better at blocking the more obvious junk mail, but they can do very little about what I would call “legitimate spam” – ie. marketing emails sent to you on the reasoning that somewhere in the deep past, you signed up for a service that said they would share your details with their “important partners”. That’s why you receive emails advertising a brand new Honda Civic from as little as £12,999, and you’re a ten year old child.

No explanation needed

Now, at this point, I would also say that I personally hate having unread email. You know that little number next to the folder that says how many emails you haven’t read? Hate that. Therefore, even though Office 365, the wonderful system it is, does a very good job at putting a lot of spam emails into the “Junk Email” folder, it still marks them as unread. So I have to empty the folder all the time, just to get rid of that little number.

Anyway, back to the story. Blog. Whatever. So, since GDPR came in, I have made the habit of unsubscribing from these legitimate spam emails. Which is when I noticed something. You can always identify if a company is using a mass email-sending system, such as Mailchimp, from the unsubscribe option. I noticed that the seemingly random emails I was receiving recently were coming from the same system, and that approximately half an hour after unsubscribing from one email, I was sent another totally unrelated email from the same system. Hmmm, I thought. This looks very suspicious, almost as if when I unsubscribed from one email, I was automatically being added to another list. This, as I’m sure you are aware, is very naughty.

After unsubscribing from a Peugeot garage email (I don’t drive and never have, I ride motorcycles), the next email in the series was apparently from the Red Cross. It all seemed totally legitimate; the website existed, the links were all fine, but I had never signed up for anything with them. Also, it was sent directly to my personal work address rather than the main company / website contact, which meant it was relatively unlikely to have been automatically harvested. Now since this was the Red Cross, and I thought it possible that they were either being used by spammers OR the company they were working with was operating outside of GDPR rules, I decided to tell them about the email I’d received, rather than simply unsubscribe. So I sent an email to the contact I found on their main website, explaining how I believed someone was either masquerading as them, or sending out emails on their behalf to users without their consent.

Imagine my (pleasant) surprise when the very next day, I received a reply from one of their marketing executives. He confirmed that the email was indeed legitimate, and after sending him a copy of the email, he also explained that I had been emailed because:


“…The rule which emails are sent is PECR under which you can email companies on an opt out basis. We conduct a Legitimate Interest balance test to determine if we can email under the new regulations, we determined that company’s like yourselves need to have employees first aid trained… ”


PECR stands for the “Privacy and Electronic Communications Regulations” which work alongside GDPR. In simple terms, it deals with rules regarding marketing calls and emails, alongside other things such as cookies and customer privacy. It’s worth noting that these regulations are due to be updated to fall in line with GDPR, but that has not yet happened. As a result, the latest change in the rules was made in 2016 to prepare them for the introduction of the GDPR regulations, but have not been updated since. More information can be found on the ICO’s website HERE.

What this means, basically, is that a company can email you or call you without your consent if they have obtained your email address and/or phone number through legitimate channels, and if they believe that you would benefit from their services. Indeed the Peugeot email was about company cars as well as personal vehicles, so this undoubtedly would have fallen into the same category.

A typical Peugeot

A typical Ferrari

Now, that is pretty much all I expected to be told. However, the email continued. In fact, it continued by telling me the name, address and contact details of the company that had supplied the Red Cross with my contact details. I will admit that at this point, I was astonished. There was no requirement for them to give me that information. Then I realised that maybe, under GDPR, there was. Since GDPR requires companies to provide information on how they obtained their personal data, then it makes sense that they also have to provide specific details such as the company or individual they obtained that data from, ie. name, address etc.

After thanking the person at the Red Cross for his help, I then turned to the information he had given me. Turns out the company in question (who I am not going to name since they don’t have a client list on their website, but who I have privately thanked and would thank again for reasons that will become apparent) are experts in the business data supply field, and pride themselves on their compliance with GDPR rules, and also helping their clients comply with the data they purchase. They are also a member of the DMA, whose website can be found HERE. Basically, this was a highly regarded, professional company providing data services for other businesses, who were registered with the highest authority in their field. If they were doing something wrong, I would have been very surprised.

Once again, I contacted them through their website, giving a brief rundown of the situation, and asking them if they could tell me how they obtained my email address. This time, the response was even quicker. Turns out that the company in question had been licensed to them by 118 Information specifically for third party direct marketing. Not only that, but I was told they could remove me from their systems, and also contact 118 Information for me and tell them to also remove my contact details from their database.

It’s been over a week since then, and I have not received a single marketing email from that system.

I thanked, profusely, the individuals who helped me. It leaves the question of how 118 Information gathered my details, but it makes a lot more sense for them to have them than a random marketing company, or Peugeot. I’m not interested in chasing that, since to me, it makes sense that 118 Information would have details on pretty much every business in the UK, since they are essentially a business directory.

I would also thank the EU for introducing GDPR, but I find it very difficult to thank someone for something that should always have been in place, with clear guidelines and responsibilities, and wasn’t introduced in part to help governments generate revenue through massive fines.

And here’s another thing. Plastic bags. The war against plastic is the new thing that the world must now fight, thanks to Sir Attenborough’s reports. We must join forces around the planet, vigorously work and introduce new laws to combat the plastic menace. Whilst being forever told by scientists that it’s too little, too late, and we should have done this many years ago (then why didn’t you tell us years ago, huh?).

If you won’t listen to him, who will you listen to?

Anyway, over the past few years that law came in about charging 5p for plastic bags. I’m sorry – if it’s as bad as they say it is, why don’t they just ban plastic bags? Seriously? The UK government could do that immediately. Just ban them. Tescos – 5p per plastic bag, or buy a bag for life. Why not just say, “Either bring your own bags or just dump the contents of your trolley in the car and unload it at home”. Get rid of plastic bags totally. But no – instead we get these half-arsed measures that in the end, doesn’t help anyone except the people at the top collecting their plastic bag tax. Because what people seem to not understand is that plastic waste is generated by people NOT DOING THE RIGHT THING! It’s generated by people throwing plastic out the car window. Dumping plastic in fields. Throwing that Starbucks cup away into a river. So the answer? Oh no, don’t educate people against doing this, or provide more recycling centres, or make it easier for people to dispose of plastic. No, just try and reduce the amount of plastic available so that instead of throwing a plastic straw into the river, people will throw a paper straw into the river. You know what that means? More people will through stuff into rivers because they’ve been told it’s ok to throw away since it’s not plastic.

That’s what GDPR is like. On the surface, it looks good. Underneath though, it’s too late, it only exists because there was an opportunity to ride off public opinion to make people money, the companies who are most at fault are rich enough to ignore it, and it’s a blanket that punishes 99.99% of companies who weren’t doing anything wrong, and isn’t tight enough to stop the 0.01% of companies who were misusing data.

At least it helped me stop one company sending me spam. It could do the same for you.

Shame about the other 99 spam emails I get per day offering me enhancement surgeries from a Nigerian prince whose mother has left him a fortune in gold she mined from Alaska by hand. No-one ever responds to my GDPR requests from them…