Implementing the EU’s General Data Protection Regulation (GDPR) was always going to be a challenge for travel companies, but a recent social media storm centred around British Airways would suggest that even the biggest travel brands are not completely on top of the new requirements.

An IT specialist, Mustafa Al-Bassam, noted that British Airways staff were asking users via Twitter to provide sensitive details about their reservation, with BA stating that this was required to be in compliance with GDPR.

Information requested from customers included their full name and booking reference, passport number and expiry date, the last four digits of their credit card, postal code and other identifying information.

In reply, some customers have posted personal details in the open, public timeline.

These details may be required to confirm that the customer service agents are addressing the passenger who holds the reservation. But the wording of the customer service tweets can affect how and where customers reply.  Other brands, including other airlines, hotels and other travel services have run into similar problems, as customers post personal information in public while corresponding with customer service, opening themselves up to fraud.

As another Twitter user pointed out in the BA GDPR thread, searching Twitter with the parameters: «delete “security reasons”» «delete “personal information”» opens up a long feed of brands having to ask people not to share their personal details on social media to address customer service complaints.

This highlights a vulnerability for brands on social media: might they be accused of being responsible for customer data posted due to service misunderstandings and poor individual user security practices?

In a statement to tnooz, British Airways addressed its policy for customer correspondence on social media:

“We take our responsibility to protect our customers’ details very seriously. We’d never ask customers to send personal information publicly. When a genuine error is made, we will always go back to the customer to clarify this. Our social media colleagues look after around 2,000 enquiries a day, and like all customer service teams we are always careful to confirm that we are talking to the right person before making any changes to their booking.”

This confirms that British Airways primary concern is to ensure that they are responding to a genuine customer record, which makes sense from an account security perspective.

But, if airlines or any other brands simply replied to all customers with a request specifying they DM (direct message) the necessary details —and tell them not post any more details into the public timeline— customers would be less likely to share personal information with anyone looking through the timeline.

In some cases, as the “delete security reasons” feed shows, users disregard customer service agent instructions to delete a Tweet that contains personal details. As a result, this record of sensitive information remains on the brand’s timeline too.

This is where GDPR policy might get blurry. Are brands responsible to delete the personal details of customers who have unwittingly disclosed sensitive personal information when a customer fails to do so? If so, what would be the procedure?

If the brand deleted its portion of the correspondence—the reply tweet—the customer’s tweet would still exist in the user’s timeline, but it would no longer be tied to the brand’s timeline. Whether that is sufficient protection for compliance with GDPR is an open question.

Ad-blocker conundrum

The IT specialist who raised concerns on this point had his own issues with BA that also impact GDPR policy. His inital reason for getting in touch with BA was related to difficulties checking-in online while using an ad-blocking browser. He claims to have discovered that he was unable to do so unless he agreed to share the information that the ad-blocker prevented. The basis of his GDPR complaint letter to BA, which he also posted on Twitter, is that he has not given BA consent to gather or share data in this instance.

British Airways responded:

“We are transparent with customers about our cookie terms and conditions, and always ask them to review the details before choosing whether to accept or opt out.”

It might be worth reviewing ad-placement as part of the online self-service process to ensure that there is a GDPR-friendly option. In this specific case, it would appear that British Airways does not allow online check-in for users who do not agree to have ads or to share their details with third parties.

However, the reply from BA’s own Twitter customer service staff was that he should clear cookies and browsing history and check-in at the airport. This was dismissed as an inadequate and inaccurate response to his concerns because the data gathered through the transaction without ad block resides with BA and third-party partners, not in his browser history.

Takeaways

Customer service agents may need guidance on basic GDPR requirements so they can respond appropriately when customers raise concerns.

All brands should note that GDPR compliance is complicated by social media conversations. It would be advisable to review current practices, to eliminate any potential liability.

This event, and the questions raised, suggests that potential GDPR liabilities might make Twitter a high-risk customer service platform. One solution might be to limit the scope of services offered on Twitter, or perhaps the days of using the Twitter platform as a useful customer service desk are coming to an end.