Thought Piece

British Airways and Google GDPR failures, what we can all learn?

Companies are still falling foul of GDPR despite having been in effect for well over a year since May 2018.

General Data Protection Regulation, known as GDPR, was the largest overhaul in European data protection and privacy in 20 years. The EU law is designed to align company data and privacy practices across Europe as well as addressing the export of personal information to the rest of the world.

Regulation updates affect all businesses both large and small, requiring information controllers to properly look after data. Anyone not complying to GDPR risks scrutiny from domestic regulatory commissions.

The changes are not to be taken lightly with businesses scrambling to comply even after the deadline. Regulators are quick to punish transgressions with increasingly large fines.

A survey compiled by Trustarc incredibly reveals that only 20% of companies believe they met regulations in time for the deadline.

“There were no hard and fast rules so the biggest challenge was working out how to interpret the guidelines.” explains one small business owner.

A short timeframe and radical overhaul left many businesses struggling to comply.

“I guess the new challenges of internet privacy needed regulation. It made us examine how we store and process data. I think businesses should have been given more help to comply.”

British Airways handed largest GDPR fine

It’s not just small businesses who have struggled to meet GDPR standards. The UK’s Information Commissioner’s Office (ICO) recently levied British Airways with the largest ever sanction of £183 million.

Google GDPR Breach

With the authorities generally guarding news about the collection of fines, the publicized BA case is a clear warning sign to others flouting regulation. The punishment could have been worse for the international airline. GDPR stipulates that a fine of up to 4% of global turnover can be issued. £183 million represents 1.5% of BA’s 2017 global turnover which is still a far heavier penalty than ever previously seen.

In fact, the preceding largest data privacy fine for UK companies was just £500,000, the maximum under the old regulation. The ICO explains that hackers stole logins, payment card and travel booking data which was “compromised” by the company’s ineffective security provisions.

Google misleading on data collection

It is believed that over 100 companies have so far been issued with fines including Google. In January 2019, French regulator CNIL hit the tech firm with a €50 million punishment for failing to meet GDPR

British Airways GDPR Breach

Whilst there was no clear data breach or leak, the company was still deemed to be overlooking rules during the collection of personal information. Google was penalized for failing to acquire users’ ‘genuine consent’ in an explicit opt-in process.

CNIL determined its data consent policy to be lacking transparency and spanning several documents “Users are not able to fully understand the extent of the data processing operation carried out by Google.

The fine was small compared to what British Airways face especially with Google’s 2017 turnover in excess of $100 billion.

The search engine and software developer has faced numerous accusations across Europe with their deep-reaching tech seeing issues around data collection for location services.

Google Location GDPR Breach

Keeping regulators happy, mistakes to avoid

Over a year of GDPR and increasing penalties for misbehavior, what have we learned?

GDPR is not going to be swept under the rug. Whether there is a data breach or not businesses can easily find themselves in hot water for negligent behavior.

Regulators are scrutinizing unintentional mistakes looking for ignorance, neglect, sloppiness, and laziness.

No matter the reason for failing to meet the rules, any violation is deemed punishable. And with good reason, the loss, theft or trade of personal information can have devastating effects for the individuals involved.

BA wasn’t responsible, was it?

As British Airways have found out, companies are even liable when criminal acts are used to steal data.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.” British Airways chief executive Alex Cruz

Being compliant needs to be coupled with ongoing monitoring for suspicious activity. The GDPR aim is not to make sure all companies are following regulation but to actively protect European citizens.

“However fast regulation moves, technology moves faster. Especially as far as data is concerned” said Elizabeth Denham, UK Information Commissioner

Breach notifications are a must to allow consumers to protect themselves. In the first year alone there were nearly 90,000 breach notifications. Any leak of personal data must be reported within 72 hours of discovery which includes alerting affected customers.

Securing personal data is a headache for all companies facing determined criminals looking for any weak points. Increased pressure from GDPR is encouraging many companies to look at blockchain privacy solutions such as The Tide Protocol. Leveraging distributed ledger technology to tightly manage access permission to personal data only by approved individuals, with the immutable nature of a fully transparent audit trail makes for ultra-secure storage along with full authority, adequate sovereignty and proper accountability over one’s aspect of digital identity..

Businesses can also hugely reduce risk with the ‘right to be forgotten’ or data erasure. Whilst customers have the right to their data being destroyed, companies must also take the initiative. Information deemed irrelevant or no longer used for original purposes should be deleted. You can’t hold old data for no reason. Not only is this a requirement but a way of reducing exposure, with no data there is no risk. Many information controllers still fall foul in this respect often on email lists and marketing channels. Using an email address for marketing without clear consent is an exposure point.

Google paying lip service to GDPR

Deliberate and blatant violations can expect to join the list of harshest fines. Google is a little overshadowed by BA now, but €50 million is still a substantial penalty.

Wallpapering over the cracks, paying lip service or deceiving customers. Whatever you call it, regulators are looking for you, with the help of the general public. Data does not even have to be breached for a company to be liable.

You can think of it as ‘driving dangerously’. You may not be breaking the speed limit but you’re still a risky proposition.

GDPR Thin Ice

GDPR is not just a method to align policy for fluid data across Europe. It is structured to empower and protect all citizens. And the public is aware. No company can comfortably hide, big or small.

1 year of regulation yielded 144,376 queries and complaints to authorities across Europe. Quite a few of them at Google who were hiding data usage in long-form documents. No clear consent.

What’s the lesson? Well, businesses can’t hide. They are forced to be upfront and transparent with customers. Making it easy to choose how their personal information is used and stored. If not, then complaints are easily filed and regulators will not take violators lightly.

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.” — Elizabeth Denham.

Recent News

24 Oct 2022

Financial Review Interviews Tide

The spate of recent data breaches headlined by Optus and Medibank has reinforced the urgency to rethink cybersecurity.

26 Aug 2022

Tide named world-changing startup

Revolutionary new technology to secure the future

16 May 2022

RMIT validates Tide’s breakthrough cryptography

New multi-party cryptography enables true zero-trust

16 Nov 2021

Tide win startup of the year

By AISA cybersec peak body

27 Nov 2021

JaxEnter interview Tide

Human beings are cybersecurity’s weakest link

20 Oct 2021

Cyber Herd Immunity

Breakthrough Cryptography Introduces New Paradigm

22 Sep 2021


Tide encryption to end the cyber breach pandemic

20 Sep 2021

Tide at TechCrunch Disrupt

Chosen from the most competitive batch in TC history.

15 Mar 2021

Tide win Insurtech NY

Tide named best global Insurtech, at marquee insurance event

18 Dec 2020

Tide Named Tech23 Winner

Tech23 deep tech community celebrates next disruptors.

20 Nov 2020

Tide join OECD Global Forum

Distributed ledger technology and the new era of data privacy and governance.

15 Jun 2020

Tide Awarded ARC Grant

Together with Professor Susilo from UOW and KDDI Research, Japan.


Thanks for getting in touch. We'll get back to you as soon as possible!

Send another message