13 Aug Requesting customer data: the (desperate) need for proper processes
Over the past few months, a considerable amount of news addressed the questionable practices adopted by some organisations to allegedly comply with the General Data Protection Regulation (GDPR). Some of these practices also led regulatory authorities to issue fines to ensure that a simple and yet strong message sinks in all organisations’ compliance departments: don’t violate privacy while trying to comply with privacy law. Two key examples are the fines issued to Flybe and Honda for violating the Privacy and Electronic Communication Regulations (PECR) while trying to obtain GDPR-valid consent.
Unfortunately, not every company seems to have the GDPR under control quite yet. Another recent case is the misunderstanding between British Airways and some of their customers, where BA appeared to be requesting customers’ personal data such as names, booking references, registered addresses, ID numbers, email addresses, and even the last four digits of the customers’ payment cards, all on the Twitter public feed. It was unclear on the feed whether customers should send this data for identity-verification purposes or for BA to easily extract their data from their databases. What is clear however is that the customers’ requests were general customer service requests and did not directly relate to data (i.e. they were no Subject Access Requests). This practice drew the attention of customers and press and exposed British Airways to a public relations’ debacle of rare proportions.
But how did this happen? And how can organisations prevent this from happening?
Airlines are just an example of the number of companies offering customer service via Twitter and other social media. This practice should not be discouraged, as it leads to easier access to companies and increased customer satisfaction. Nevertheless, it should always be remembered that social networks are “sharing” tools, and that not every user is aware of the degree of publicity of the content they produce.
To be fair, BA never explicitly requested users to post personal data in public: Twitter is also equipped with a private messaging function. Unfortunately, this function is only available if the account you wish to contact is currently following you. In other words: BA should have followed all their customers for these to be able to send their data in private. As a consequence, it should have been clear to BA that requesting data in a public tweet would have led less expert Twitter users in confusion with a risk to have data ultimately exposed to the public.
This case is a clear demonstration of how poorly conceived processes may result in a damage, pecuniary or reputational, for organisations in the public and private sectors. These fiascos teach organisations important lessons in data protection, and most notably the following.
- GDPR compliance is not ensured by ticking items off a check-list.
In this example, the BA social media managers were probably following an agreed customer service checklist, which included identity verification. Nevertheless, even though they ticked off items from the check-list, they ended up endangering the right to privacy and data protection of their customers, simply because no process was in place to evaluate whether identity verification on a social network could prove risky.
- GDPR compliance is about processes, and most notably how effective these processes are to reach the goal they aim at
In law, reality often surpasses fantasy and it is a difficult task to foresee what situations data protection specialists will face in their daily activities. Nevertheless, this should not discourage data controllers from creating processes that cover as many aspects as possible, including the means through which data subjects should submit their documents for identity verifications. In addition, processes should be reviewed as soon as new situations emerge that have not been foreseen in the previous document version.
- GDPR compliance is about risk mitigation and balance
The GDPR requires organisations to adopt a risk-based approach and to use the necessary caution to ensure adequate proportionality in data processing. Therefore, data controllers should first consider whether the data they request from data subjects to verify their identity is necessary to comply with the request and whether this poses any risks to their privacy. The necessity to have an independent, data-protection-focused point of view is one of the reasons why European institutions encourage organisations to appoint a Data Protection Officer even on a voluntary basis.
- GDPR is about a new data protection culture
The excessive use (even in this blog post!) of the word “compliance” when dealing with the GDPR led some organisations to believe that the GDPR would be nothing more than “an annoyance that” a few consultants could take care of in a few days of work. This could not be farther from the truth. The right to privacy and data protection is a human right protected under national, European, and international law, and it requires a whole new degree of engagement of all functions of an organisation. The GDPR is about making all employees and contractors aware of their responsibility and triggering questions such as “Am I processing data now?”, “Should I process this data at all?”, and, equally important, “Am I processing this data in a way that is respectful of the data subject?”
Contact our DPO team for more information on this topic:
Filippo Marchetti, Data Protection Specialist at Trilateral Research