I see the ICO only gets involved when it's news and a big breach, other than that they appear to not give a fuck. Reported a car ticketing company that weren't using HTTPS on their site yet requesting quite a lot of ID over their shitting web form (not my ticket).
And while we're at it. Like has been mentioned, does the private company have permission to hold said details? They can't spout the bullshit it's for security so we have a right under GDPR to hold images. People in the area all now need to just throw loads of SAR requests at them until they give in and delete the lot.
Have done that in a Waitrose car park. Parked, shopped, got no ticket but didn't want my plate on their database forever, the parking company. Requested under Right to be Forgotten for it to be removed. They claimed they can keep it for as long as 6 months as they use the ANPR system for CCTV security and nothing to worry about as not getting a ticket. I then pointed out GDPR states ANPR can't be used for CCTV purposes so delete the number plate now please. They did. I requested they also remove it from their backups. They've stopped replying to me now.
:)
I like being an annoying dick at times. Guess its why I have no friends.
Biting the hand that feeds IT
