In the UK on May the 16th this year the OWA gained Royal Assent, and part of this legislation makes it an offence to deliver a “bladed article or product” to a residential address unless the seller has procedures in place to ensure that the recipient is over 18. The Act specifically mentions passports and EU photocard licenses as acceptable proof of age.
An associate of mine recently bought a wok from a well-known cook’s supplies company and was informed when he phoned to order it that it came with a free knife. But in order to be able to send this they would need a scan of his passport in order to prove he was over 18, so he duly scanned it and emailed it to them.
Although the company is being responsible and complying with a law to help prevent under-18s buying knives online, they have created a risk to the company under the DPA 2018 (GDPR). They have caused him to send valuable personal information by unsecure email and now will be storing this data on their systems.
Amazon, Ebay and UPS on the other hand have a system whereby the delivery driver has sight of proof of age but does not copy or make notes of the details. So what we see here is a seller changing a sales process in order to comply with the OWA and inadvertently putting themselves at risk of prosecution under the DPA, rather than considering all of the relevant laws. From the outside it appears to be an example of an organisation not carrying out an assessment to gauge the risks to the person when implementing a new system or way of working. In this instance there is a clear alternative, but no doubt would take a little more effort to implement.