British Airways and Google GDPR failures, what we can all learn?

Companies are still falling foul of GDPR despite having been in effect for well over a year since May 2018.

General Data Protection Regulation, known as GDPR, was the largest overhaul in European data protection and privacy in 20 years. The EU law is designed to align company data and privacy practices across Europe as well as addressing the export of personal information to the rest of the world.

Regulation updates affect all businesses both large and small, requiring information controllers to properly look after data. Anyone not complying to GDPR risks scrutiny from domestic regulatory commissions.

The changes are not to be taken lightly with businesses scrambling to comply even after the deadline. Regulators are quick to punish transgressions with increasingly large fines.

A survey compiled by Trustarc incredibly reveals that only 20% of companies believe they met regulations in time for the deadline.

“There were no hard and fast rules so the biggest challenge was working out how to interpret the guidelines.” explains one small business owner.

A short timeframe and radical overhaul left many businesses struggling to comply.

“I guess the new challenges of internet privacy needed regulation. It made us examine how we store and process data. I think businesses should have been given more help to comply.”

British Airways handed largest GDPR fine

It’s not just small businesses who have struggled to meet GDPR standards. The UK’s Information Commissioner’s Office (ICO) recently levied British Airways with the largest ever sanction of £183 million.

With the authorities generally guarding news about the collection of fines, the publicized BA case is a clear warning sign to others flouting regulation. The punishment could have been worse for the international airline. GDPR stipulates that a fine of up to 4% of global turnover can be issued. £183 million represents 1.5% of BA’s 2017 global turnover which is still a far heavier penalty than ever previously seen.

In fact, the preceding largest data privacy fine for UK companies was just £500,000, the maximum under the old regulation. The ICO explains that hackers stole logins, payment card and travel booking data which was “compromised” by the company’s ineffective security provisions.

Google misleading on data collection

It is believed that over 100 companies have so far been issued with fines including Google. In January 2019, French regulator CNIL hit the tech firm with a €50 million punishment for failing to meet GDPR

Whilst there was no clear data breach or leak, the company was still deemed to be overlooking rules during the collection of personal information. Google was penalized for failing to acquire users’ ‘genuine consent’ in an explicit opt-in process.

CNIL determined its data consent policy to be lacking transparency and spanning several documents “Users are not able to fully understand the extent of the data processing operation carried out by Google.”

The fine was small compared to what British Airways face especially with Google’s 2017 turnover in excess of $100 billion.

The search engine and software developer has faced numerous accusations across Europe with their deep-reaching tech seeing issues around data collection for location services.

Keeping regulators happy, mistakes to avoid

Over a year of GDPR and increasing penalties for misbehavior, what have we learned?

GDPR is not going to be swept under the rug. Whether there is a data breach or not businesses can easily find themselves in hot water for negligent behavior.

Regulators are scrutinizing unintentional mistakes looking for ignorance, neglect, sloppiness, and laziness.

No matter the reason for failing to meet the rules, any violation is deemed punishable. And with good reason, the loss, theft or trade of personal information can have devastating effects for the individuals involved.

BA wasn’t responsible, was it?

As British Airways have found out, companies are even liable when criminal acts are used to steal data.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.” British Airways chief executive Alex Cruz

Being compliant needs to be coupled with ongoing monitoring for suspicious activity. The GDPR aim is not to make sure all companies are following regulation but to actively protect European citizens.

“However fast regulation moves, technology moves faster. Especially as far as data is concerned” said Elizabeth Denham, UK Information Commissioner

Breach notifications are a must to allow consumers to protect themselves. In the first year alone there were nearly 90,000 breach notifications. Any leak of personal data must be reported within 72 hours of discovery which includes alerting affected customers.

Securing personal data is a headache for all companies facing determined criminals looking for any weak points. Increased pressure from GDPR is encouraging many companies to look at blockchain privacy solutions such as The Tide Protocol. Leveraging distributed ledger technology to tightly manage access permission to personal data only by approved individuals, with the immutable nature of a fully transparent audit trail makes for ultra-secure storage along with full authority, adequate sovereignty and proper accountability over one’s aspect of digital identity..

Businesses can also hugely reduce risk with the ‘right to be forgotten’ or data erasure. Whilst customers have the right to their data being destroyed, companies must also take the initiative. Information deemed irrelevant or no longer used for original purposes should be deleted. You can’t hold old data for no reason. Not only is this a requirement but a way of reducing exposure, with no data there is no risk. Many information controllers still fall foul in this respect often on email lists and marketing channels. Using an email address for marketing without clear consent is an exposure point.

Google paying lip service to GDPR

Deliberate and blatant violations can expect to join the list of harshest fines. Google is a little overshadowed by BA now, but €50 million is still a substantial penalty.

Wallpapering over the cracks, paying lip service or deceiving customers. Whatever you call it, regulators are looking for you, with the help of the general public. Data does not even have to be breached for a company to be liable.

You can think of it as ‘driving dangerously’. You may not be breaking the speed limit but you’re still a risky proposition.

GDPR is not just a method to align policy for fluid data across Europe. It is structured to empower and protect all citizens. And the public is aware. No company can comfortably hide, big or small.

1 year of regulation yielded 144,376 queries and complaints to authorities across Europe. Quite a few of them at Google who were hiding data usage in long-form documents. No clear consent.

What’s the lesson? Well, businesses can’t hide. They are forced to be upfront and transparent with customers. Making it easy to choose how their personal information is used and stored. If not, then complaints are easily filed and regulators will not take violators lightly.

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.” — Elizabeth Denham.