The 5 biggest GDPR fails of 2018

We know GDPR is a tricky beast. The fear and uncertainty around it have been plaguing everyone from Belfast to Belgrade for the past few years. Whether you’re a one-person tech team trying to implement for a start-up, or a sentry of CISOs in a multinational corporation, the journey to GDPR’s been real.

When it actually came to it, the infamous 25 May D-Day was really quite underwhelming. It just sort of happened, didn’t it? But that didn’t stop us from getting a good laugh from some of the falsehoods, failures and downright facepalms we’ve seen floating around the internet in the past month, as organisations of all kinds navigate the post-GDPR world.

One month on, we’ve rounded up some of our favourite GDPR facepalm moments. They say humour is the best way to educate. So, here’s hoping!

1. Stop it with the Opt-In!

GDPR means that the customer has to actively give their consent to the website to contact them — that’s to say they opt-in, rather than opt-out. Simple, right? Wrong! As evidenced by a lot of major brands, including National Express and BT. Lucky for you, most companies understand the GDPR mechanics, but a handful of companies still don’t get it. And while we see the funny side now, these slip-ups won’t cut it for much longer.

2. When BCC loses the B…

We’ve all had that moment when you’re writing to a colleague or friend and you’re ready to hit send, so you type in their name and ALMOST click the wrong person. Well, a similar thing happened to the New York Times, when instead of clicking BCC (Blind Carbon Copy) someone clicked CC (Carbon Copy). That’s right, the NYT sent its new GDPR privacy policy openly to anyone who had written for them. Cue one mammoth thread of confusion and recipients replying “Please stop clicking ‘Reply All’”. So next time you inevitably make a mistake with a sent message, just remember that it even happens with the New York Times, and unfortunately for them that could see them faced with a hefty fine.

3. In the words of Adele…

GDPR is a protection regulation that all companies who have customers within the EU need to comply with. So, even companies outside the EU have to comply with GDPR if they have customers from the EU. Well, despite GDPR day being the most highly anticipated since Y2K, some companies still weren’t prepared. A number of newspapers from our friends across the pond, including the LA Times, were so unprepared that they had no choice but to shut out their European audience. Cut to one month later, and you’ve guessed it, you still can’t access the website from a European VPN. Sort it out, guys. We miss you.

4. So lonely…

Remember when you were younger and you always got so excited about receiving an email? Remember when that feeling stopped when you became inundated with ads and spam? No doubt your inbox bubbled over with emails leading up to the 25 May deadline with organisations reminding you to opt-in. Granted, you may have received a lot of emails, but if you weren’t on top of them you may no longer be receiving emails from those few sacred sites you actually want to hear from. Now if you only have emails from some spammy sites you need to get out there and sign back up to your OG favourites. (Credit to Lucy Nichol for this one)

5. Clear as mud

GDPR is complicated enough without companies making it even worse for themselves and their customers. Take Halifax Bank, for example. It was as if they were trying to create a debate as controversial as ‘The Dress’ debacle of 2015 when they invited customers to guess whether the blue or white tick box was opt-in or opt-out. Come to think of it, is this really a fail or the next big internet sensation? Nope, we’re going to stick with fail.

But what does it mean?

GDPR doesn’t need to be difficult

So if you felt overwhelmed by GDPR information, all we can say is no wonder, when we see the blundering confusion it’s caused. Yes, it’s been hard, but it doesn’t have to be as hard as these websites are making out. Put simply, the General Data Protection Regulation is all about making sure that the customer is in control of the personal information they’re allowing companies to access, and making sure this information is handled safely. And for the more complicated bits, there’s a whole host of support out there to make sure your company is navigating GDPR with finesse not failure.

What was your favourite facepalm moment? Did it fall into our top five? Let us know by dropping us a line!

Get in touch


Clare Holmes

29 Jun. 2018



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to Latest update: 27th June 2024 Sansec, a…

Read more