Telephone +44(0)1524 64544

The Wizard Has Bad Form


Sun Jul 22 21:30:20 2018

The GDPR, the General Data Protection Regulation, has been a part of legislation since 25th May 2018, the law was passed into effect in 2016 and then two years were allowed for businesses and organisations to adapt. I discuss some of the aspects of the GDPR as I navigate helping businesses and organisations change to reflect the new landscape.

These articles often serve to highlight a particular part of the law or to give useful links or feedback. Others are intended to be discursive on the way in which the law is implemented or adopted by the many people who have to interact with it.

In this article I am going to discuss how an organisation, Merlin Entertainments,1 has failed to implement the legislation and how they could have done so in a way that made sense and would have made their lives easier.

Form Filling

I fill out a lot of forms in my day to day business life and in my home life. I am, however, not like most people as I sometimes like filling them out. Not the really officious ones, nor the simple mundane ones. But a well laid out form that has a natural and logical progression, where you feel more that you are on a journey of understanding, is a joy to complete.

They are really rare though. So mostly I hate form filling as much as the next person. The form I had to complete that has provoked this lengthy response, was for a complimentary digital photos pass that accompanies my Merlin Premium Pass. There was also a pass for my wife; and one each for two of my children who are aged 6 and 8.

A thing to note here is that we needed our Merlin Pass numbers for this and the card with its photo ID (Photo, Name, Address, DoB, Membership Number, Email all on this card) as proof.

Three Strikes and You’re Out

Broadly speaking the GDPR has three areas that the form I filled out for myself and my family today breaches in a huge way.

1. The collecting of too much information

The form insisted I fill out name, address, email address and if so desired a mobile number. It also required the membership number of my Merlin Premium Pass which is unique to this year and has my details associated with it. The form required all of this but Merlin Annual Pass already has all this information, think about that, why? It is needless tautology. By insisting I enter this information onto a paper form that they then scan into an electronic database and send the form to a secondary part of the organisation they are creating a longer digital footprint.

They could have just verified my identity from my existing pass use the membership number. It has the benefit that the paper is now semi-anonymous (pseudoanonymous). The placing of all my details into the system of a different database with a paper copy just creates more issues. In addition to this they have now duplicated information about my children into two new locations (at least) which is probably a minor breach of Article Nine and the manner in which we collect and store data about sensitive persons.

Strike One.

2. The treatment of sensitive information about children

Speaking of which, the annual passes contain a name and date of birth with a photo of my children on their own passes. This is actually necessary as they are used for identification when gaining entry to attractions and events. However they also insisted on putting the same information on the photo pass.

Merlin could have just used the membership number and photo. Reduces the data and makes the card safer if my child loses it, has the same security against others using it as they don’t have my kids face (creepy or weird if they did) or their membership number (naughty if they took it or an accidental duplication). But no. They repeat the name and other details and print them onto the card that any person can request to see and scan.

This is again an invalid step that will just result in a greater threat to the sensitive information about my children. Which makes me think they have a casual disregard of what they are collecting and how that data is used or displayed.

Strike Two.

3. The tick to opt out box.

To Paraphrase: ‘Merlin Entertainments [will cheerfully share all your data for a profit] with our select third party [anyone we deal with who sees you as a market] vendors and suppliers. If you do not wish to have this information shared with them tick this box’

Nope. The ‘opt out’ box was illegal under the previous Data Protection legislation and it continues to be so under the GDPR. In fact it is strongly disapproved of. The interesting wording is that this is only for their 3rd party vendors, so there is no opt out at all for the Merlin and its partners then?

Strike Three.


Well, I hope that someone at Merlin Entertainments gets to read this and maybe thinks about changing their forms. This was a clearly pre-GDPR mindset and to be honest a clear pre-DPA mindset. This type of cavalier behaviour towards data security, processes, protection of sensitive individuals and user choice is the reason we have such a need for new legislation with a stronger enforcement of the law.

I guess we could think that this wasn't on an organisation but the staff member who made the form, except of course the GDPR insists (as does the ICO) that you keep all staff up to date especially those who may engage with this type of behaviour. So it is still the organisation that needs to work on this.

I won’t be making a specific complaint (aside from this blog) and I am hoping that some of you reading this pause and reflect about your own forms and the data you collect.

Is there a better way of doing it?

Can you have the same level of information but with increased privacy and security for the individual?

I think we can all do better.

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]

  1. I would love to say ‘sorry chaps’ or something similar, but I am not. I think naming and shaming in this case may prove illustrative to them and to others. We have to call this out and it doesn’t always need a letter to the ICO. Hopefully this will be enough to force a change. ↩