When a traveller visits an airport, the collecting of a myriad of personal data occurs. This is both from the passengers and visitors to the airport. Typically, this includes collecting IP addresses during booking, and credit card details when, for example, paying for parking and disabled services. So how has GDPR impacted data protection in Airports and the wider travel industry?
The arrival at the airport may capture licence plates, facial images and details on passenger movements. Airlines share personal data with airports to allow access to airside locations and security services. Not all of these transactions are commercial. A number are for purposes of keeping travellers and staff safe and maintaining a smooth operation.
Airports, by definition, capture, process and share data with many partners. Ynder the new GDPR, this requires a new contractual framework between partners and the airport. This should analyse risks, and establish measures to ensure that where a legal basis exists, transferring is secure, and kept safe on a need to know basis.
The added requirement of the GDPR is that all these data flows need to be mapped, recorded, and risk assessed. Appropriate safeguards should be put in place between airport partners. The transparency requirement in the GDPR requires airports to be transparent through notices to passengers, visitors and staff. This includes who you share information with, under what lawful basis and how long you keep the information for. These partners require yearly auditing, as you would any other service that you procure.
Beyond just the passengers
Airports are secure areas and the threats go beyond just passengers. The threat of insider data theft, and the theft of critical staff data such as security passes, is one area we suggest airports look at when undertaking their GDPR risk analysis.
Airports allow others to use their technology infrastructure to keep data at rest and share data in and out of the airport. A lot of this data is highly sensitive, and can be gold dust to those who wish to disrupt the operation of the airport. A drone is so last year. Poor information security can produce the same effect from the comfort of an office 1000s of miles away.
Therefore, the travel industry, because of the nature of the data you share, the data you keep at rest, and high volumes, is a key target for those who wish to disable critical infrastructure and steal sensitive staff and passenger data. Therefore, GDPR is a wake-up call for the travel industry. As BA and Marriott proved, it is certainly work in progress.
Written by Nigel Gooding, Data Protection Officer for Macmillan, Xoserve and South Western Ambulance Service Trust.