Let’s all take a minute to understand the view within the British Airways social media cockpit, the place staffers on the coalface of the airline’s Twitter account have presided over a wildly uncommon ‘interpretation’ of Europe’s new knowledge safety guidelines.
One which, er, suggests fairly the alternative of GDPR compliance… Given the corporate’s social media employees have been caught encouraging prospects to submit private knowledge similar to their tackle and passport quantity right into a public discussion board — and right here’s the anti-privacy cherry! — claiming it’s essential for GDPR compliance!
Insert your personal [facepalm of choice]…
Mustafa Al-Bassam, the UCL info safety PhD pupil who flagged the corporate’s social media fail within the above Twitter thread has since filed his personal knowledge safety grievance towards British Airways — after discovering its check-in web page was leaking his private knowledge to a bunch of third events for advert concentrating on functions.
Now that may be okay — say if the corporate requested for and gained consent for sharing his knowledge. Or if it had one other legitimate authorized foundation for amassing knowledge, i.e. apart from consent. Although it’s fairly onerous to think about what would possibly legally justify an airline sharing paying prospects’ private info and journey knowledge with advertisers with out their categorical consent…
Properly, Al-Bassam says he was not requested for consent to share his info with advertisers. And in case you’re processing knowledge by consent — as British Airways’ privateness coverage seems to recommend is what the corporate thinks it’s doing right here — then GDPR does in truth require you to truly ask for and truly get hold of consent first.
tl;dr: Consent by default shouldn’t be consent. So once more the corporate seems to be affected by some type of regulatory delusion syndrome the place no matter it thinks GDPR compliance means is what GDPR compliance means. Say like embedding a catch-all ‘consent’ within the depths of a privateness coverage. Or simply saying the phrase ‘GDPR’ out loud 3 times whereas trying within the mirror.
Trace: Nope! Not compliance! No!
We reached out to British Airways to debate its strategy to GDPR compliance however on the time of writing the corporate had not responded to a request for remark.
Requested if it may give the corporate any GDPR steerage, a spokesperson for the UK’s knowledge safety watchdog instructed us: “Any personal information that an organisation asks for must be limited to what’s necessary for that purpose. Any processing of that information must be secure and take appropriate technical and organisational precautions.”
After all the airline is on no account the one firm failing totally to grok GDPR. The regulation remains to be fairly new (having come into drive on Could 25) and there are clearly A LOT of privateness dents nonetheless to be ironed out throughout the web place.
A few of these are unintended and/or idiotic kinks. Whereas others look far more like an intentional deforming of the principles (hello Fb!). However given the GDPR regime additionally helps punitive fines for compliance breaches (howdy lawsuits!) it’s to be hoped that none of those privateness fails — unintended, spectacularly silly, deliberately hostile or in any other case — can be round for too lengthy.