What you can learn from British Airways’ GDPR fiasco

Can you imagine what would happen when an airline asks you to post your full name, booking reference, and two of the following: your passport number and expiry date, the last four digits of your payment card, billing address, and postcode, and email address, on a public forum (like Twitter)?

Passengers, desperate for help, will respond.

That’s exactly what happened to British Airways. On it’s official Twitter handle, the airline’s customer service staff asked customers for the data, causing many to unwittingly part with critical personal and private data.

What’s worse is that the representatives claimed the request was being made in order to comply with the European Union’s new privacy code: The General Data Protection Regulation (GDPR).

So British Airways is asking for people's personal data over social media "to comply with GDPR", and some people are even replying directly in the public feed.

uwotm8 pic.twitter.com/yUvCQ5Gti9

— Mustafa Al-Bassam (@musalbas) July 16, 2018

However, as you can imagine, the staff were mistaken, and were in gross violation of the very law they were attempting to comply with.

Good intent alone, unfortunately, doesn’t excuse the airline. The company’s been facing severe backlash on social media and now, the regulator, after it’s response on social media made headlines.

Mustafa Al-Bassam, who discovered (and reported) the company’s violation on Twitter then went on to study the company’s data practices and found several other violations. He’s posted an open letter about his findings on Github.

Here’s an important section of his letter, documenting an even bigger violation – which could potentially cost the company millions of dollars:

“Recently, I tried to check-in online on your website, but the interstitial page did not redirect me, and thus I was unable to check-in. I discovered that this was because my adblocker was enabled.

“After disabling my adblocker, I discovered that your check-in page was leaking my booking reference and surname to countless third parties for advertising purposes, including Twitter, LinkedIn, and Google Doubleclick.

“I do not recall explicitly consenting for my information to be shared in this way, nor do I see any way to opt-out or withdraw my consent.

“This all appears to be a violation of article 7 of GDPR for conditions of consent, which states “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data” and “the data subject shall have the right to withdraw his or her consent at any time”.

What companies must learn

While British Airways seems to be working on controlling the damage to its reputation after the lapse on social media last week, there are critical lessons that it can teach companies about compliance.

Compliance is about processes

When companies think about compliance, they must evaluate every business process and ensure that every single process is made compliant.

Failure to do so can wreak havoc on the company when lapses are discovered in the process, later in the day.

In the case of compliance, businesses must accept Murphy’s law (everything that can go wrong, will go wrong) and prepare to fail-proof or idiot-proof everything possible.

Compliance is about risk mitigation

When planning for compliance, companies need to assess the risk associated with each process and division.

Certain processes might be riskier than others. For example, social media outreach might be an easy process on its own, but in light of the GDPR, can be a complicated and risky affair.

If businesses think about the risks associated with certain processes beforehand, they’ll not only be able to better plan for compliance but also be better equipped to handle issues resulting from non-compliance if any.

Compliance is about technology

Quite often, the people handling compliance don’t understand technology in the way they need to.

As a result, there’s a knowledge gap that people struggle to fulfill, which gives rise to complications when it comes to crafting strategies that aggressively help the organization comply.

The fact is, most organizations want to comply with the law. Hence, failure to do so is often a result of a lack of understanding that causes lapses in formulating new policies and practices.

When creating teams to draft compliance policies in light of the GDPR or other new laws, businesses must ensure there is a good mix of expertise in the group, helping the legal experts spot areas of concern they’d otherwise miss.