Last week (July 17) British Airways scored a spectacular privacy own goal for which the most charitable comment would be that it might consider GDPR training for its social media team.
As Heathrow sweltered in some of the hottest temperatures the UK has known, it wasn’t just the mercury rising. People’s tempers were starting to fray as well, with flight delays also being caused by air-traffic control industrial action in mainland Europe.
In response to a number of tweets from impatient customers, British Airways tweeted that the complainants ought to reply with private details. The tweet, from “Kelly”, read:
“… please confirm your full name & booking reference. We also need 2 of the following: passport number & expiry date, the last 4 digits of the payment card, billing address & postcode, email address…”
As if that were not jaw-droppingly bad enough, Kelly even claimed that they wanted these “to comply with GDPR”. Though some customers were naïve enough to respond with the required information, others could not believe what they were reading. Passengers such as Mustafa Al-Bassam, a computer information security PhD student at University College London who was, ironically, on BA’s Twitter page trying to find information about a flight he was taking to Barcelona to attend a “Privacy Enhancing Technologies Symposium”.
He was not the only one to call out BA for this massive misunderstanding of what GDPR means. User Elaine Matthews tweeted: “BA – I suggest that you contact the Information Commissioner to find out exactly what GDPR means…”
Eventually – Mr Al-Bassam says after six hours – BA clarified that any such information should be sent via direct message (DM). Separately, Mr Al-Bassam is now filing a different data privacy complaint against BA, claiming that it had leaked his personal data from its check-in page to third-party advertisers trying to sell him additional services related to his flight and without his consent.
BA tried to defend itself against the ill-advised tweet, pointing out that its social media team handles around 2,000 enquiries per day, but that cut little ice with angry customers. It might not cut much ice with the Information Commissioner either.
Lawyer James Mariani of US firm Frankfurt Kurnit Klein & Selz said of the fiasco that one way BA could have avoided getting into this mess would be by clearly differentiating between customer service enquiries and data requests.
He argues that best practice and “prudent strategy” would suggest that companies should create a specific portal where customers are directed for specific GDPR-sensitive queries: “Organizations should set up a system where customer service personnel and the privacy team can speak with one another and promptly decide what is a data subject access request and what is a customer service complaint, just as the customer service department can forward inquires to the IT department, the fraud department, etc. Each inquiry, regardless of type, should then be handled appropriately—and probably not over Twitter.”
As ever, talking to each other is the best way.