GDPR- It just got personal!

On the 8th August 2018 the ICO published their findings following an investigation into Lifecycle Marketing (Mother and Baby) Ltd. They were given a £140,000 fine for the illegal collection and selling of personal data of more than 1 million people. Sounds very murky and sinister…wonder how they got all that data? The name doesn’t ring a bell. Scroll a little further into the content and I discover one that does..Emma’s Diary. Now that made me sit up. The ‘UK's leading baby clubs for mums-to-be, providing expert advice on every aspect of pregnancy and childcare…’ according to their website. Roll back to mid-2016 when I discovered I was pregnant and freely and gladly signed up to Emma’s Diary, the freepost hardcopy application at the back of the magazine, the online version…where else do I sign, happy to tick every box to ensure I had access to the latest information and get that free tube of sudocreme..did I read the small print? Did I check the privacy policy? Did my lawyerly instincts not kick in and tell me to check and double check? It’s a baby magazine after all…they’ll never do anything wrong? Right? Wrong.

So, they sold my name, address, date of birth of my little one, not sure what else they had.. and it ends up with the Labour Party and consequently I was potentially the recipient of a Labour Party general election publication about their campaign to support the Sure Start programme. This is no criticism of the message and the good work which said policy may deliver. Nor indeed a reflection of my political views. But I’m starting to get a little annoyed here. I do feel a personal invasion of privacy and that of my one year old. Manipulated? Conned? Unhappy? Yes. Yes. YES. Suddenly GDPR has become very personal. I feel a subject access request coming on just to clarify what they have on me and my darling daughter, who else has it and to demand it is scrubbed. Now is this just my nerdy privacy specialist curiosity kicking in or do I genuinely feel aggrieved? Probably both and honestly, more so the latter. And it got me to thinking about who really knows about or actually goes the whole way to exercising their data subject rights. In conversations over the last year and particularly in the lead up to the 25th May 2018 privacy was a hot topic with a typically mixed bag of responses. From general annoyance at a swathe of emails begging for consent to marketing information, scare mongering about what had to be done to denial from the naysayers who thought GDPR compliance was nothing more than a tick box exercise.  But the fact is your customers and clients, existing or future, are aware. So, they might not be able to recite GDPR chapter and verse, but they are aware of its existence, have a general understanding of its implications and more importantly their rights. And anyone who feels their rights have been trampled on with a little digging will know exactly what they must do.

Read a little more into the judgement here the failure to clarify within the privacy notice about who they were sharing data with seems to be their undoing.

So, what now? Well I’m off to issue my subject access request and will keenly await the results (that’s one calendar month and no fee thank you very much). And then I will ask them to delete my data. Just a note..Emma’s Diary has an annual circulation of 870,000 copies. Lifecycle Marketing supplied 1,065,220 records to the marketing company that in turn supplied the Labour Party circulation lists. Now that’s a lot of SARs! Imagine those sitting in your inbox. Time to review your privacy policy, make sure it’s up to scratch and check that you have properly informed your clients about their rights and what you will do with their information before your savvy well informed customer starts flexing their data protection muscles. For more assistance on GDPR policies and training, amongst other services, get in touch with me at Briefed at  



Business, LegalCaroline Boyle