One of the aspects of the General Data Protection Regulation (GDPR, and UK GDPR) is that you can expect that the personal data an organisation holds on you to be accurate.
Specifically, that if it is inaccurate, you have a right to rectification, and you can require them to correct it and make it accurate (even if the ICO don't quite understand that, it is the law).
This is important if the information is mistakenly wrong, but also if it changes over time...
- If you move house and your postal address changes
- If you change your name
- If you change your gender
- If you change your title
- If you change your phone number
- If you change your email address
- Etc...
The organisation has to, legally, rectify the inaccurate personal information they hold on you when you ask them to. That is the law.
But, in my opinion, there is a flaw in GDPR. When "signing up", "registering", etc, when first becoming a data subject with an organisation, it is apparently legal for that organisation to impose rules on what they consider acceptable personal information.
A perfect example is, apparently, British Airways, this week, refused to accept someone that was female and a Doctor, as the gender and title did not match!
But organisations will decide someone cannot have a first name that is one letter, of that you have to have a first and last name, or that your email address cannot have a dot before the @, etc.
Of course, the person could have recorded themselves as male and a doctor, and having been accepted they could require the incorrect personal information be corrected, under GDPR. The same is true for email addresses that an organisation decides is not valid, or a phone number, or postal address or name, etc. Ultimately, legally, they have to accept the accurate personal information in the long run if you required them to rectify the inaccurate personal information they hold and collected at "sign up".
But it seems nothing in GDPR requires that organisations accept the "accurate" personal information from data subjects "in the first place". They can make any arbitrary rules they wish. So we see shit like this, even for perfectly valid email addresses.
To be fair, companies can, and should, validate that something like an email address is valid and is the subject's email address. That is part of GDPR when it comes to rectifying personal data as well. But if it is valid, they should accept it, in my view. Making random rules on names, genders+titles, email addresses, phone numbers, etc, are all stupid and should be fixed by an update to the law.
I feel GDPR (or UK GDPR) needs updating so that no data controller can discriminate (i.e. refused to accept a new data subject) based solely on the format or syntax or rules they have created relating to any valid and accurate personal information at the point of becoming a data controller, any more than they could at the point of being required to rectify inaccurate personal data later.
The fact this is not part of the GDPR, is, in my view, a flaw, that needs fixing.
I have written to my MP asking for this, maybe you could too?
