Last week, British Airways (BA) became one of the first public relations victims of the General Data Protection Regulation (GDPR). Per reports from TechCrunch, BA requested that individuals who had tweeted BA regarding flight delay complaints respond on Twitter—to the public—with personal information, purportedly in order to comply with the GDPR. The personal information that BA representatives requested included full names, billing addresses, dates of birth, the last 4 digits of payment cards, and even passport numbers. Eventually, BA clarified that it did not mean that users should respond with the requested information in the public feed, but rather that they should do so via direct message (DM).
The original customer complaints tweeted at BA appeared to be typical customer service directed inquiries that one would expect BA to receive after a rash of cancelled flights related to an IT issue. So why are we talking about GDPR at all?
Well, GDPR includes what is known as the Right of Access, and this right provides individuals with the ability to inquire into whether a company has collected the individual’s data and even receive a copy of all the data that company has collected from the individual, along with the reasons it was collected and other information. Individuals can use Data Subject Access Requests or “DSARs” to exercise the Right of Access and other rights, such as the Right to be Forgotten (i.e. delete all my data), the Right to Data Portability, opt-out, etc. Organizations have a 30-day time limit to respond to DSARs upon receipt and may, within the parameters of GDPR, confirm an individual’s identity before complying with a request. This it to ensure, among other things, that personal data will not be released to an imposter or unauthorized party. The idea is to provide additional security to help prevent a data breach through which personal data could wind up in the wrong hands.
The Information Commissioner’s Office (ICO)—the UK’s independent data authority that provides guidance on all things GDPR—has advised that DSARs are valid when they come to the company in any manner. This creates a bit of a headache for large organizations as these requests can come from many different places, in many different forms. The prudent strategy is to create a specific portal where users are directed to lodge their DSARs. The organization’s privacy team will then take steps designed to ensure that DSARs that come in by phone, email, or even tweet, are directed to the same portal so they can be handled in a consistent manner by privacy-trained personnel. What it does not mean is that DSARs are handled the same way as a typical customer service inquiry, or vice versa. Organizations should set up a system where customer service personnel and the privacy team can speak with one another and promptly decide what is a DSAR and what is a customer service complaint, just as the customer service department can forward inquires to the IT department, the fraud department, etc. Each inquiry, regardless of type, should then be handled appropriately—and probably not over twitter.
GDPR, and the forthcoming California Consumer Privacy Act, which also has a similar individual access right, require a great many new efforts from organizations. Trying to slot the compliance initiatives that these new laws demand into existing buckets without proper training of personnel or department integration can create quite a bit of confusion—and confusion can cause mishaps that might cost up to 20 million euros/4 percent of annual global turnover . . . or just a lot of embarrassment.