Thought Piece

British Airways and Google GDPR failures, what we can all learn?


Companies are still falling foul of GDPR despite having been in effect for well over a year since May 2018.

General Data Protection Regulation, known as GDPR, was the largest overhaul in European data protection and privacy in 20 years. The EU law is designed to align company data and privacy practices across Europe as well as addressing the export of personal information to the rest of the world.

Regulation updates affect all businesses both large and small, requiring information controllers to properly look after data. Anyone not complying to GDPR risks scrutiny from domestic regulatory commissions.

The changes are not to be taken lightly with businesses scrambling to comply even after the deadline. Regulators are quick to punish transgressions with increasingly large fines.

A survey compiled by Trustarc incredibly reveals that only 20% of companies believe they met regulations in time for the deadline.

“There were no hard and fast rules so the biggest challenge was working out how to interpret the guidelines.” explains one small business owner.

A short timeframe and radical overhaul left many businesses struggling to comply.

“I guess the new challenges of internet privacy needed regulation. It made us examine how we store and process data. I think businesses should have been given more help to comply.”

British Airways handed largest GDPR fine

It’s not just small businesses who have struggled to meet GDPR standards. The UK’s Information Commissioner’s Office (ICO) recently levied British Airways with the largest ever sanction of £183 million.

Google GDPR Breach

With the authorities generally guarding news about the collection of fines, the publicized BA case is a clear warning sign to others flouting regulation. The punishment could have been worse for the international airline. GDPR stipulates that a fine of up to 4% of global turnover can be issued. £183 million represents 1.5% of BA’s 2017 global turnover which is still a far heavier penalty than ever previously seen.

In fact, the preceding largest data privacy fine for UK companies was just £500,000, the maximum under the old regulation. The ICO explains that hackers stole logins, payment card and travel booking data which was “compromised” by the company’s ineffective security provisions.

Google misleading on data collection

It is believed that over 100 companies have so far been issued with fines including Google. In January 2019, French regulator CNIL hit the tech firm with a €50 million punishment for failing to meet GDPR

British Airways GDPR Breach

Whilst there was no clear data breach or leak, the company was still deemed to be overlooking rules during the collection of personal information. Google was penalized for failing to acquire users’ ‘genuine consent’ in an explicit opt-in process.

CNIL determined its data consent policy to be lacking transparency and spanning several documents “Users are not able to fully understand the extent of the data processing operation carried out by Google.

The fine was small compared to what British Airways face especially with Google’s 2017 turnover in excess of $100 billion.

The search engine and software developer has faced numerous accusations across Europe with their deep-reaching tech seeing issues around data collection for location services.

Google Location GDPR Breach

Keeping regulators happy, mistakes to avoid

Over a year of GDPR and increasing penalties for misbehavior, what have we learned?

GDPR is not going to be swept under the rug. Whether there is a data breach or not businesses can easily find themselves in hot water for negligent behavior.

Regulators are scrutinizing unintentional mistakes looking for ignorance, neglect, sloppiness, and laziness.

No matter the reason for failing to meet the rules, any violation is deemed punishable. And with good reason, the loss, theft or trade of personal information can have devastating effects for the individuals involved.

BA wasn’t responsible, was it?

As British Airways have found out, companies are even liable when criminal acts are used to steal data.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.” British Airways chief executive Alex Cruz

Being compliant needs to be coupled with ongoing monitoring for suspicious activity. The GDPR aim is not to make sure all companies are following regulation but to actively protect European citizens.

“However fast regulation moves, technology moves faster. Especially as far as data is concerned” said Elizabeth Denham, UK Information Commissioner

Breach notifications are a must to allow consumers to protect themselves. In the first year alone there were nearly 90,000 breach notifications. Any leak of personal data must be reported within 72 hours of discovery which includes alerting affected customers.

Securing personal data is a headache for all companies facing determined criminals looking for any weak points. Increased pressure from GDPR is encouraging many companies to look at blockchain privacy solutions such as The Tide Protocol. Leveraging distributed ledger technology to tightly manage access permission to personal data only by approved individuals, with the immutable nature of a fully transparent audit trail makes for ultra-secure storage along with full authority, adequate sovereignty and proper accountability over one’s aspect of digital identity..

Businesses can also hugely reduce risk with the ‘right to be forgotten’ or data erasure. Whilst customers have the right to their data being destroyed, companies must also take the initiative. Information deemed irrelevant or no longer used for original purposes should be deleted. You can’t hold old data for no reason. Not only is this a requirement but a way of reducing exposure, with no data there is no risk. Many information controllers still fall foul in this respect often on email lists and marketing channels. Using an email address for marketing without clear consent is an exposure point.

Google paying lip service to GDPR

Deliberate and blatant violations can expect to join the list of harshest fines. Google is a little overshadowed by BA now, but €50 million is still a substantial penalty.

Wallpapering over the cracks, paying lip service or deceiving customers. Whatever you call it, regulators are looking for you, with the help of the general public. Data does not even have to be breached for a company to be liable.

You can think of it as ‘driving dangerously’. You may not be breaking the speed limit but you’re still a risky proposition.

GDPR Thin Ice

GDPR is not just a method to align policy for fluid data across Europe. It is structured to empower and protect all citizens. And the public is aware. No company can comfortably hide, big or small.

1 year of regulation yielded 144,376 queries and complaints to authorities across Europe. Quite a few of them at Google who were hiding data usage in long-form documents. No clear consent.

What’s the lesson? Well, businesses can’t hide. They are forced to be upfront and transparent with customers. Making it easy to choose how their personal information is used and stored. If not, then complaints are easily filed and regulators will not take violators lightly.

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.” — Elizabeth Denham.

Recent News

Blog
4 Jun 2025

Ghost in the Network

Rethinking Cybersecurity with User-as-Key Architecture

Blog
19 May 2025

Treat the cause not the symptom

Another security patch. Another missed opportunity.

Blog
25 Mar 2025

Rethinking Cybersecurity

The future of cybersecurity for platform developers

Press
27 Mar 2025

Keys to Nowhere

Cryptography Revolution Thwarting Hackers

Press
6 Mar 2025

Scientist's take on Tide

2 min explainer on why cybersecurity is failing and Tide's approach to fix it

Press
20 Jan 2025

Sky News Feature

"Tide technology has potential to revolutionize cyber security"

Press
15 Jan 2025

Q&A with Co-founder Yuval Hertzog

Reimagining trust in the digital world.

Press
4 Nov 2024

Tide Win Tech Impact Award

Award for impact in transforming breaches into a non-issue.

Announcement
18 Nov 2024

TideCloak Secures Developers

Major Organizations Among Early Adopters Reporting Freedom from Security Concerns

Press
11 Mar 2024

Infrastructure Magazine Feature

New approach to securing critical infrastructure.

Press
23 Nov 2023

RMIT, Tide, AWS Collab Unveiled

Tide's "Ineffable Cryptography" to secure critical infrastructure

Blog
25 Sep 2024

Cybersecurity’s Kryptonite

It’s cybersecurity’s kryptonite: Why are you still holding it?

Contact

Thanks for getting in touch. We'll get back to you as soon as possible!

Send another message