Airlines have a little over two months left to implement practices to comply with new regulations which will come into effect from May 25 across the European Economic Area (EEA) safeguarding the rights of European Union (EU) member citizens to more stringent control with regard to the data obtained by businesses who provide goods and services either at a cost or for free.
The impending introduction of the General Data Protection Regulation (GDPR) saw data protection compliance as the focus of a special session at IATA’s Legal Symposium in Bangkok, Thailand last week, as the airline industry prepares to comply with it and similar regulations in multiple states.
GDPR, which was approved in April 2016 after four years of preparation and debate, replaces rules which have been in place for over twenty years. The regulations have wide-reaching implications for all businesses, inside and outside of the EU, with regard to how they collect, use, manage and store their customers’ and employees’ personal data.
Airlines have had to comply to data protection regulation in a number of countries but GDPR is attracting specific attention due to fines associated with non-compliance, including the necessity for businesses to self-report breaches.
Companies which breach GDPR will face fines of up to €20 million, or four percent of the total worldwide turnover of a business in the preceding financial year, whichever is higher. In addition, EEA (European Economic Area) member states are also required to impose penalties that are “effective, proportionate and dissuasive.” In a paper on GDPR prepared by global law firm HFW, it is stated that a ‘draft UK Data Protection Bill, which will implement the GDPR in the UK, allows for prosecution of directors.’
Compliance with GDPR will prove challenging for airlines, and the broader travel industry, given its scope. For instance the regulation will apply to all airlines operating within and out of the EU, and in an example given at the symposium, would also apply to data kept and stored in the EU in the case of bookings made with online travel agencies based in the EU.
The regulation not only impacts the data provided by EU passengers flying with airlines but all data provided by EU citizens to airlines, even in the form of subscriptions to e-mail newsletters.
At the time of GDPR’s approval, former IATA Director General Tony Tyler reinforced airlines’ commitment to follow the laws in relation to data collection and protection but urged governments for a global standard stating the expense to airlines of developing IT systems to comply.
At last week’s symposium, there was a consensus among the panel of legal experts, including legal representatives of airlines such as Air Canada and Air New Zealand, that GDPR should be adopted as the baseline for compliance. As one expert on the panel said: “As onerous as (GDPR) is and as stringent as it is, it’s tangible, it’s clear, and I think it’s going to become the global default.”
John is educated to postgraduate level achieving a masters degree with Distinction in Airline and Airport Management and has recently led an undergraduate Aviation Management course for 450 students at a leading London university. John is currently an external instructor for IATA (International Air Transport Association) and a member of the Heathrow Community Fund’s ‘Communities for Tomorrow’ panel.