Why US airlines should be concerned about EU GDPR regulation | HCL Blogs

Impact of the EU GDPR regulation on US Airlines

Impact of the EU GDPR regulation on US Airlines
April 26, 2018

Why Should US Airlines be Concerned about EU GDPR regulations?

Shift in how customer information is collected, stored, and processed impacts the IT ecosystem at large

According to the United Nations World Tourism Organization (UNWTO), Europe is the largest tourist destination by region, accounting for nearly half the total number of international tourists across the world. Bearing in mind that personalized customer experience is one of the key investment focus areas, airlines are collecting data from their travelers to understand their preferences, thereby trying to provide a differentiating experience.

More than 20% of international visitors to the US (excluding Canada and Mexico) are Europeans, and with more than 26% of US international air traffic controlled by European destinations, it is evident why US airline companies want to capitalize on the European market. The European market is critical to US airlines both in terms of revenue and customer base.

The EU General Data Protection Regulation (GDPR) is the most critical change in data privacy regulation in Europe in the past 20 years, which has several implications for the airlines industry. It will be enforced in May 2018.

GDPR compliance will strengthen privacy regulations concerning how an airline collects and processes personal information in the following ways:

  • Any stored information ranging from an e-mail address to a photograph that can directly or even indirectly identify a person is considered personal data.
  • There is the “Right to Be Forgotten.” That is, an individual has the right to request that his or her personal data be erased to potentially stop it from being processed by third parties of the initial data collector.
  • From the data controller, individuals will have the right to receive “confirmation as to whether personal data concerning them is being processed, where and for what purpose.”
  • Easy-to-understand conditions regarding consent must be given to consumers with a clear option to ‘opt out.’ Essentially, as a result of general data protection regulations, companies will have to explain what the data is being used for, rather than embedding it in lengthy terms and conditions.

While concerns regarding data privacy are always strongly voiced, recent events such as the Facebook data breach case — even though the ‘voluntary’ nature of the data being shared is debatable — has prompted the industry to go through a thorough recheck of the cybersecurity measures being implemented. A data breach of similar nature that is relevant to the travel industry, but that never saw the light of day, is that of Orbitz (a subsidiary of Expedia). The company suspects that hackers may have accessed the personal data of more than 880,000 accounts between October 2017 and December 2017. In such a scenario, EU GDPR becomes more relevant than ever before and given below are the areas that it will impact the airlines with respect to the management of customer data across various departments.

  • Sales and Marketing
    • Seasonal sale campaigns, which are run on an existing customer database, are backed by data analytics to identify propensity. For doing this, airlines will now need explicit permission from the customer.
    • Targeted marketing where the travelers’ search history and past travel history is tracked for populating personalized offers. To perform this in future, it would require customers to do more than just accept the cookie consent on the website.
  • Customer Experience
    • In the era of personalization, every airline is trying to profile each of their travelers by collecting data ranging from their reason for travel to likes for in-flight entertainment and catering. The current profiling systems in place will need to be scrutinized to understand the associated data risks.
    • Loyalty programs are another data reliant area where airlines generate significant revenue, share their insights about their customers to their partners who are mostly fintech giants, or independent frequent flyers . The sharing of insights will require explicit customer consent, but, the harder task will be to remove the data from the siloed systems, if a customer chooses to ‘opt out.’
  • Operations
    • By far, operations face the least impact as airlines are mandated by the regulatory authorities to share data. Due to general data protection regulations, however, it is used only to understand the risk associated with the traveler for security purposes.

Considering the complex nature of the IT landscape of an airline, the customer data can reside on a multitude of databases, depending on how long the airline has been operating and how efficient and integrated their IT estate is. Coupled with the fact that all the three major US carriers have undergone M&A activity in the past decade, GDPR compliance will mean addressing major data management challenges. Some of the key ones will be:

  • Identification of customer nationality from the existing record database. It will be easier for airlines to do away with unidentified records, as it does not add any value.
  • Ensure that the customer database in use is centralized, secured, and encrypted. This means extending the existing encryption scope from just the financial details to the entire profile of the customer.
  • In addition, there are some areas that need to be considered, including ensuring proper data classification for seamless privacy policy implementation based on customer choices. This will be useful for scenarios such as when a customer allows an airline to use his/her data for personalization, but is unwilling to share access to specific information (for e.g. past booking history) to third parties.

Considering the current technological advancements in cybersecurity, there are a multitude of options that an airline can choose from, ranging from implementing stronger encryption protocols, to efficient and secure access management. From an exploratory perspective, it means looking at emerging technology such as Blockchain to provide an additional layer of security that can’t be easily breached.

To conclude, even while acknowledging the existing challenges of legacy systems and siloed databases, it is high time airlines take the first steps toward GDPR compliance and start identifying business-related data risks, such as having a strategy roadmap in place. This is several times better than being in the headlines for the wrong reasons.