When a traveller visits an airport a myriad of personal data is collected from the passengers and visitors to the airport. The typical journey includes an IP address collected on the airport website as they book additional services such as parking, fast track and disabled services, to credit card details for paying for these services.
The arrival at the airport may capture licence plates, facial images and details on passenger movements as airlines share personal data with airports to allow access to airside locations and security services. Whilst not all of these transactions are commercial, a number are for purposes of keeping travellers and staff safe and maintaining a smooth operation.
Airports, by definition, capture, process and share data with many partners. All of which, under the new GDPR, require a new contractual framework between them and the airport to analyse the risks and put in place measures to ensure where a legal basis exists to transfer the data, that it is securely transferred and kept safe on a need to know basis.
The added requirement of the GDPR is that all these data flows need to be mapped, recorded, risk assessed and appropriate safeguards put in place between airport partners. The transparency requirement in the GDPR requires airports to be transparent through notices to passengers, visitors and staff. This includes who you share information with, under what lawful basis and how long you keep the information for. These partners need to be audited at least yearly as you would any other service that you procure.
Airports are secure areas and the threats go beyond just passengers. The threat of insider data theft, blackmail and the theft of critical staff data, such as security passes, is one the areas we would propose airports look at when undertaking their GDPR risk analysis.
Airports allow others to use their airport technology infrastructure to keep data at rest and share data in and out of the airport. A lot of this data is highly sensitive and in some cases gold dust in the hands of those who wish to disrupt the operation of the airport or steal important personal information. A drone is so last year, when poor information security can produce the same effect from the comfort of an office 1000s of miles away.
Therefore, the travel industry, because of the nature of the data your share, the data you keep at rest, and high volumes, are a key target for those who wish to disable critical infrastructure and steal sensitive staff and passenger data. Therefore, GDPR is a wake-up call for the travel industry and as BA and Marriott proved it is certainly work in progress.
Written by Nigel Gooding, Data Protection Officer for Macmillan, Xoserve and South Western Ambulance Service Trust.