I Do Not Think GDPR Means What British Airways Thinks It Means

A security researcher was headed to a privacy technology symposium and ran headlong into British Airways’ approach to data privacy in the process.

To most of us in the United States, GDPR (the EU’s General Data Protection Regulation) just means we get spammed by everyone we’ve ever given our email address to telling us they’ve updated their privacy policy.

For Europeans it means being able to ask companies what information they have on you, and asking to be removed from their database. Of course they need to verify you are who you say you are when asking to be removed, so the remove request requires asking you for personally identifying information. And they can continue to retain certain information about you anyway, to protect themselves from being sued.

There are obligations to protect sensitive information, and to only collect information that’s necessary. And the rules contain threats of substantial fines. Of course what every lawyer dealing with this area has told me is “we don’t really know what it means yet.” That’s because it’s new, and there’s little to go on in terms of what enforcement will look like — and no case law yet.

Still, the general idea is something like the opposite of British Airways insisting that GDPR rules require customers to publicly tweet them personal information in order to get customer service.

This may be broadly reflective of the British Airways approach to the data privacy, however.

British Airways, for its part, suggests that if you’re not comfortable sharing your personal information with myriad marketing firms on the internet then you don’t deserve to check in online.

Hence the conclusion, British Airways “I think you’re doing GDPR wrong.”

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. Yeah tell me. I am unable to retreive a BA PNR because they need to verify its me. The passport data has to be put inside first which, I can only do when I have the PNR.

    They say “otherwise it doesnt pass GDPR”. Bullshit. Hasnt to do with that.

    I have sent them a letter requestion ALL data they are holding on me and for what purpose. I have that right as per GDPR. So within 30 days (flight is in December) I should also have that PNR as its in my file 😀

    Plus someone there has an hour or two work getting my info to me.

Leave a Reply

Your email address will not be published. Required fields are marked *