GDPR: Top 5 Post-Implementation Issues for Airlines
On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR establishes some of the most robust privacy requirements globally and is likely to be a model followed by other jurisdictions. Airlines are uniquely affected by the GDPR with passenger data being at the heart of their business and international operations. As new technologies allow airlines to pursue new and innovative uses of customer data, it is imperative that airlines continue to conduct their operations with GDPR compliance in mind, particularly given the financial and other reputational issues that can arise for a failure to meet the GDPR’s strict requirements.
Below are 5 key issues for airlines to consider in relation to the GDPR post-implementation.
1. Security Breaches
Airlines must notify the competent supervisory authority (e.g., for airlines based in the UK, the Information Commissioner’s Office) of security breaches involving personal data without undue delay, and where feasible, within 72 hours of becoming aware of the breach. Airlines must also communicate data breaches to affected individuals if the breach is likely to result in a high risk. The GDPR also sets out the content requirements of a breach notification. Airlines should prepare or revise data breach response plans to make sure they can meet the imposed obligations as efficiently as possible.
2. PSS, Outsourcing, and Other Vendor Agreements
The GDPR imposes certain minimum terms that must be included in any agreement where a third party processes personal data on behalf of another. These mandatory requirements require that an agreement with a data processor (such as a PSS provider) includes terms relating to usage restrictions, security, restrictions on subcontractors, providing assistance in relation to data subject rights, breach notification, return and deletion of data, and the provision of information and allowing for audits to demonstrate compliance with the GDPR’s requirements. Airlines should review their PSS, outsourcing, and other vendor agreements for compliance, and if required, incorporate appropriate amendments in such agreements.
3. Data Subject Rights
The GDPR focuses heavily on the rights of individuals. Individuals have a range of rights under the GDPR in respect of their personal data, including a right to access the information an airline holds on them and a right to erasure (the so-called “right to be forgotten”). Airlines must facilitate the exercise of the rights within a set timeframe of one month and they may not charge a fee. Airlines are likely to have already received a number of these requests and should keep their internal procedures under review to ensure continued compliance with the GDPR’s requirements.
4. New Products, Apps, and Services
As airlines rollout new products, apps, and services, it is important that airlines bear in mind the GDPR’s “privacy by design” requirements. New products, apps, and services may involve a host of compliance requirements including a need for a privacy impact assessment (e.g., where large scale processing of personal data is envisaged in “big data” and analytics projects), an audit of privacy notices to ensure adequate disclosures have been made to customers, and ensuring the airline has a lawful basis under the GDPR for processing personal data, including the sharing of such data with third parties.
5. Who is the Controller? Continued Data Sharing Across the Travel Ecosystem
Airlines share customer data with numerous actors across the travel ecosystem: customers; agents; GDSs; governments; other airlines; airports; hotels; loyalty card schemes; etc. Each of these relationship is likely to involve specific GDPR and privacy considerations. For example, tricky questions arise with respect to identifying who is the controller and who is the processor with certain intermediaries and technology providers. Airlines should ensure they have an up to date understanding of all relationships where they share customer data, the lawful basis for doing so, and ensure that appropriate contractual terms govern such sharing.