A flaw in GDPR

One of the aspects of the General Data Protection Regulation (GDPR, and UK GDPR) is that you can expect that the personal data an organisation holds on you to be accurate.

Specifically, that if it is inaccurate, you have a right to rectification, and you can require them to correct it and make it accurate (even if the ICO don't quite understand that, it is the law).

This is important if the information is mistakenly wrong, but also if it changes over time...

  • If you move house and your postal address changes
  • If you change your name
  • If you change your gender
  • If you change your title
  • If you change your phone number
  • If you change your email address
  • Etc...
(obviously if someone has a record of "the postal address you had when you signed up", then that does not need to change just because you move, unless it is a mistake, but a record of "current address" needs to change when you move).

The organisation has to, legally, rectify the inaccurate personal information they hold on you when you ask them to. That is the law.

But, in my opinion, there is a flaw in GDPR. When "signing up", "registering", etc, when first becoming a data subject with an organisation, it is apparently legal for that organisation to impose rules on what they consider acceptable personal information.

A perfect example is, apparently, British Airways, this week, refused to accept someone that was female and a Doctor, as the gender and title did not match!

But organisations will decide someone cannot have a first name that is one letter, of that you have to have a first and last name, or that your email address cannot have a dot before the @, etc.

Of course, the person could have recorded themselves as male and a doctor, and having been accepted they could require the incorrect personal information be corrected, under GDPR. The same is true for email addresses that an organisation decides is not valid, or a phone number, or postal address or name, etc. Ultimately, legally, they have to accept the accurate personal information in the long run if you required them to rectify the inaccurate personal information they hold and collected at "sign up".

But it seems nothing in GDPR requires that organisations accept the "accurate" personal information from data subjects "in the first place". They can make any arbitrary rules they wish. So we see shit like this, even for perfectly valid email addresses.

To be fair, companies can, and should, validate that something like an email address is valid and is the subject's email address. That is part of GDPR when it comes to rectifying personal data as well. But if it is valid, they should accept it, in my view. Making random rules on names, genders+titles, email addresses, phone numbers, etc, are all stupid and should be fixed by an update to the law.

I feel GDPR (or UK GDPR) needs updating so that no data controller can discriminate (i.e. refused to accept a new data subject) based solely on the format or syntax or rules they have created relating to any valid and accurate personal information at the point of becoming a data controller, any more than they could at the point of being required to rectify inaccurate personal data later.

The fact this is not part of the GDPR, is, in my view, a flaw, that needs fixing.

I have written to my MP asking for this, maybe you could too?


  1. If you are unable to access a government service as a result of this issue you should complain to the Parliamentary Ombudsman.

    1. Tricky as not "unable" to access it, all I have to do is change my personal information to match the data controller's rules, and then I can access it. The issue is that a data controller should not be requiring me to change my personal information, it is the wrong way around.

  2. How do you deal with customers writing their names in Arabic script, chinese letters, etc?

    1. For A&A, some years ago, we took on a major project to update invoice printing and PDF generation moving from a postscript basis to an SVG basis so as to support unicode characters. We cope quite well now. Of course, a data controller could have a field that is "Anglicised version of name" in a database if they wish, and accurately populate that, but we chose to try and be somewhat more accommodating. It all got started with a Polish name breaking our postscript stuff.

    2. Names are not simple if you are going global: https://shinesolutions.com/2018/01/08/falsehoods-programmers-believe-about-names-with-examples/

  3. I took my wife's surname when we got married (long story), and found that Clearscore would not update the details on my account, instead telling me to open a new account. I exhausted every avenue of their complaints service trying to get it updated.

    It took an ICO complaint but suddenly they found they were able to update the incorrect details. It's also arguably indirect discrimination, as the people that change their surname are disproportionately female (myself being the exception here) they are disproportionately impacted by Clearscore's ineptitude.

  4. I'm sitting in a Premier Inn. There's no 3G, 4G or 5G signal. So have to try and use the hotel's own WiFi. The sign-up page won't accept any rename that is less than three characters long.

  5. I had two just recently. BT website not accepting a + in the first part of an email (particularly annoying as this was on behalf of a relative, so needed it to segregate the messages) and Rexel.com not accepting my surname at all, because it had an apostrophe. It said "please enter a valid surname". So I did as I was told and entered literally "a valid surname" instead. Then it broke on payment, saying card details were incorrect. Tried three times, then on a hunch, removed the apostrophe, payment accepted. Very annoying.


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Breaking my heart

One of the things I suffer from is tachycardia. My first memory of this was in secondary school, when I got a flat tyre cycling to school an...