The General Data Protection Regulation (GDPR) is a sweeping European Union regulation that was approved in April 2016 and becomes enforceable on May 25, 2018. While it is a European Union regulation, it protects the data privacy of all European citizens, which means that any company throughout the world that is holding or interacting with data from a European citizen is subject to its strictures. These include fines of up to $23.5 million, or 4% of the total worldwide turnover of a business in the preceding financial year (whichever is higher).
While the GDPR will have far-reaching impacts across many industries throughout the world, the globally interconnected nature of the aviation industry means that nearly all companies involved in aerospace are likely to fall under the bounds of the GDPR, so it’s important to know what the regulations cover.
The GDPR’s Main Points and How to Comply
There are eight main areas to consider when determining how your company will comply with the GDPR.
Notification of Data Breaches
Breaches involving personal data will need to be reported within 72 hours.
How to Comply: If your company doesn’t have a data breach protocol in place, it is especially imperative to create one now to ensure that you would be able to comply in the time required, otherwise you may face that hefty financial penalty.
Opt-In/Opt-Out Consent
Companies collecting personal data will be required to explicitly get opt-in consent from users, and offer a clear and uncomplicated opt-out option.
How to Comply: Review all current consent forms to guarantee that they are in line with the updated data processing standards. Ensure that all contacts in your marketing database expressly opted in to receive communications, and that all future communications clearly highlight an opt-out option.
Companies Accountable
Any company in violation of the GDPR will be required to demonstrate continued compliance with the regulations, maintaining certain documents, carrying out Privacy Impact Assessments and implementing Privacy by Design and Default practices.
How to Comply: Data controllers will be required to show that the impact of new products, services or processes has been considered in respect to personal data. The data should not be collected unless it is truly needed (and can be argued as such in compliance with the regulations); and any data that is collected should be done in such a way to minimize any negative impact on an individual’s rights.
Appointing Data Protection Officers (DPOs)
In cases where a company’s core activities “require regular and systematic monitoring of data subjects on a large scale,” or consist of the large-scale processing of “sensitive personal data” and “personal data relating to criminal convictions and offences,” a GDPR-certified DPO will be required.
How to Comply: To determine whether your company needs to hire a DPO, you may need to consult a lawyer to discuss the nuances of the language contained in the GDPR.
Increased Individual Rights
The core of these regulations is the protection of personal data, and this section adds new rights around data portability, requesting deletion, objecting to processing and requesting subject access, among others, with specific time frames in certain cases.
How to Comply: You will need to create or streamline your protocols around processing data requests to ensure that you are able to meet all the new requirements within the specified time frames.
Data Auditing and Record Keeping
To ensure compliance and accountability, more stringent requirements around record keeping and data audits have been included in the GDPR, to be able to easily show what data is stored or processed by a company.
How to Comply: A company will need to be able to show what data is processed, why it was collected and whether it is still necessary to be stored. Outdated data will need to be updated, and unnecessary data will need to be deleted.
Fair Processing Notices
Individuals will need to be informed when their data is being processed, with the added requirement that companies will need to tell the subjects why their data is being processed and be able to prove that it is in the best interest of the subject.
How to Comply: You will need to be explicit about why you collect data and how you intend to process it (and then be consistent with how you actually process that data).
Third-Party Data Processors
This section specifies new requirements for contracts between a data collector and a data processor, including data processors acting only on the documented instructions of the data controller, and processors deleting or returning all of the personal data at the end of their services.
How to Comply: You will need to specify which of your service providers are data collectors and which are data processors, and you will need to ensure that any contract language is compliant with this section of the GDPR.
The Bright Side of GDPR Compliance
While this may seem intimidating on the one hand and tedious on the other, the reality is that preparing your company for GDPR compliance offers a few positive opportunities.
Bring Your Customers and Vendors Into the Process
This is an opportunity to begin a new conversation, to update outdated information and to create a more targeted database of individuals and companies that want to hear from you.
Roll up Your Sleeves and Dive Into Your Data!
There has been so much excitement around data and how it has and continues to change the aviation industry, but the reality is that most companies don’t really know what data they’re truly sitting on, and what to do with it. This is an opportunity to be forced to look at what data you are responsible for and to be able to plan for (and defend) what you are doing with it.
Organization Begets Organization
You are now required to create some processes and protocols that you likely should have had in place years ago. In the process, it is probable that you will have to revise other processes and protocols to account for these new requirements. See this as an opportunity to take a hard look at all of your processes and protocols, to determine if there are ways that you can innovate other areas of your business as you reorganize around GDPR compliance.
