On April 14, 2016 the European Parliament voted to adopt a new data protection law for Europe, the General Data Protection Regulation (GDPR). The regulation will come into effect on May 25, 2018.
What is GDPR?
The purpose of the regulation is to further harmonise national data protection laws across the E.U., strengthen the obligations on those who use personal data, and enhance the rights of individuals.
- Applies to every company processing personal data of individuals who are in the E.U. when their personal data is collected from them, not just companies domiciled inside the E.U.
- Enforces fines of up to €20 million or 2-4% of global turnover, whichever is greater
- Imposes a 72 hour window for companies to report a breach to the Data Protection Authority with limited exceptions
- Requires lawful processing of personal information, including requiring individuals to give unambiguous and informed consent for their data to be processed when using consent as their legal permission to process
- Affords individuals the ‘right to be forgotten’ and the right to access their personal data
- Implements ‘privacy by design’ – privacy can no longer be an afterthought when developing new products
- Sets up a ‘one stop shop’ – companies only have to register with one data protection agency
- Requires companies who systematically process data to appoint a Data Protection Officer (DPO)
What are some of the issues for transportation companies?
Customisation of the passenger experience
The passenger transportation industry is placing an ever greater emphasis on customisation of the travel experience. Transportation companies are increasingly collecting personal customer data in order to tailor their propositions and create a competitive advantage.
The airline industry alone generated an estimated $67 billion in ancillary revenues last year, a figure that is only set to grow. Passenger rail services are now harnessing technology to promote real-time customer offers and cruise operators are going beyond the traditional realm of excursions; even using baby nappies to generate additional revenues.
Much of this customisation relies on personal data. The definition of ‘personal data’ under GDPR is the same as the U.K. Data Protection Act: namely information that allows an individual to be identified, either directly or indirectly. However, what can be classified as an ‘identifier’ is more detailed; now including online identifiers such as IP address, location data and genetic data.
Location data can be generated by wireless networks in transportation hubs, as well as smart cards or mobile devices that track whereabouts to take payment for journeys. Given the array of data points gathered prior to and throughout a customer’s journey, it is possible that they will amount to individual identification.
Talent attraction and retention
Under the GDPR, transportation companies must appoint a Data Protection Officer (DPO) if they meet certain conditions. The International Association of Privacy Professionals (IAPP) claims that, due to the data-intensive nature of operations, around 50% of large transportation companies will need a DPO.
At a minimum the DPO will need to:
- Inform and advise employees and organisations on their GDPR obligations
- Monitor compliance and manage data protection activities; including data protection impact assessments, staff training and audits
- Interact with authorities and individual data subjects
The Information Commissioner’s Office also recommends that the DPO reports at board level and is provided with adequate resources to meet all obligations. The GDPR further specifies that the DPO must have ‘expert knowledge of data protection law and practices.’
The role of the DPO should not be taken lightly. It is not a nominal position to satisfy regulation and it must extend beyond the realm of IT. DPOs should be well-versed in data, risk, law and compliance but also able to adapt to the ever changing risk landscape of a modern digital world. At a time when many transportation companies are struggling to attract and retain top talent finding a DPO will not be a simple ask. The IAPP estimates that at least 28,000 DPOs will be required in Europe alone; so competition will be fierce and a skills shortage may emerge.
Reputation in a fast-moving world
The financial price of getting GDPR wrong is well documented: losing 4% of turnover would undoubtedly be a board-level issue. Mandatory reporting requirements also add new elements of risk: reputational damage and class actions. It will now be easier for traditional and social media channels to publicise failings so transportation companies must be prepared to face the stark glare of media and customer scrutiny if they are found to be non-compliant with GDPR.
When one telecoms company suffered a serious data breach in 2015, around 200,000 tweets were sent on the subject in just one week. The overall cost was 101,000 customers lost. In the fiercely competitive transportation industry, if customers lose trust in an organisation’s ability to protect their data they can and will find other providers.
‘Privacy by design’ requirements now mean that following a breach, regulators will examine the measures an organisation took to safeguard personal data in order to determine fines. The activities of the DPO and the breach response solution are therefore critical. Data breaches can and will happen; but if an organisation has implemented proactive risk management they may be looked on favourably by regulators and protect their reputation.
How can I use GDPR for competitive advantage?
The GDPR is a piece of legislation that aims to help citizens and organisations safely and confidently navigate their way through an increasingly complex digital world. While it may be easy to think of the GDPR as yet another compliance burden, it should be viewed as a means by which to bring your organisation up to speed with the modern digital world.
To harness GDPR for business advantage organisations should:
- Manage obligations and take bold privacy decisions to set you apart from the competition.
- Enhance brand trust by engaging customers in the data protection process.
- Use increased knowledge of their data to optimise its power.
- Implement proactive risk management to minimise potential financial loss.