The 5 biggest GDPR fails of 2018

We know GDPR is a tricky beast. The fear and uncertainty around it have been plaguing everyone from Belfast to Belgrade for the past few years. Whether you’re a one-person tech team trying to implement for a start-up, or a sentry of CISOs in a multinational corporation, the journey to GDPR’s been real.

When it actually came to it, the infamous 25 May D-Day was really quite underwhelming. It just sort of happened, didn’t it? But that didn’t stop us from getting a good laugh from some of the falsehoods, failures and downright facepalms we’ve seen floating around the internet in the past month, as organisations of all kinds navigate the post-GDPR world.

One month on, we’ve rounded up some of our favourite GDPR facepalm moments. They say humour is the best way to educate. So, here’s hoping!

1. Stop it with the Opt-In!

GDPR means that the customer has to actively give their consent to the website to contact them — that’s to say they opt-in, rather than opt-out. Simple, right? Wrong! As evidenced by a lot of major brands, including National Express and BT. Lucky for you, most companies understand the GDPR mechanics, but a handful of companies still don’t get it. And while we see the funny side now, these slip-ups won’t cut it for much longer.

2. When BCC loses the B…

We’ve all had that moment when you’re writing to a colleague or friend and you’re ready to hit send, so you type in their name and ALMOST click the wrong person. Well, a similar thing happened to the New York Times, when instead of clicking BCC (Blind Carbon Copy) someone clicked CC (Carbon Copy). That’s right, the NYT sent its new GDPR privacy policy openly to anyone who had written for them. Cue one mammoth thread of confusion and recipients replying “Please stop clicking ‘Reply All’”. So next time you inevitably make a mistake with a sent message, just remember that it even happens with the New York Times, and unfortunately for them that could see them faced with a hefty fine.

3. In the words of Adele…

GDPR is a protection regulation that all companies who have customers within the EU need to comply with. So, even companies outside the EU have to comply with GDPR if they have customers from the EU. Well, despite GDPR day being the most highly anticipated since Y2K, some companies still weren’t prepared. A number of newspapers from our friends across the pond, including the LA Times, were so unprepared that they had no choice but to shut out their European audience. Cut to one month later, and you’ve guessed it, you still can’t access the website from a European VPN. Sort it out, guys. We miss you.

4. So lonely…

Remember when you were younger and you always got so excited about receiving an email? Remember when that feeling stopped when you became inundated with ads and spam? No doubt your inbox bubbled over with emails leading up to the 25 May deadline with organisations reminding you to opt-in. Granted, you may have received a lot of emails, but if you weren’t on top of them you may no longer be receiving emails from those few sacred sites you actually want to hear from. Now if you only have emails from some spammy sites you need to get out there and sign back up to your OG favourites. (Credit to Lucy Nichol for this one)

5. Clear as mud

GDPR is complicated enough without companies making it even worse for themselves and their customers. Take Halifax Bank, for example. It was as if they were trying to create a debate as controversial as ‘The Dress’ debacle of 2015 when they invited customers to guess whether the blue or white tick box was opt-in or opt-out. Come to think of it, is this really a fail or the next big internet sensation? Nope, we’re going to stick with fail.

But what does it mean?

GDPR doesn’t need to be difficult

So if you felt overwhelmed by GDPR information, all we can say is no wonder, when we see the blundering confusion it’s caused. Yes, it’s been hard, but it doesn’t have to be as hard as these websites are making out. Put simply, the General Data Protection Regulation is all about making sure that the customer is in control of the personal information they’re allowing companies to access, and making sure this information is handled safely. And for the more complicated bits, there’s a whole host of support out there to make sure your company is navigating GDPR with finesse not failure.

What was your favourite facepalm moment? Did it fall into our top five? Let us know by dropping us a line!

Get in touch

PUBLISHED BY

Clare Holmes

29 Jun. 2018

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more