With the introduction of GDPR, airports and airlines are implementing changes across infrastructures to ensure compliance with the new data protection regulation. With compliance requirements reaching into the PNR directive, airports and airlines of all sizes will be under pressure to make sure that the capture, storage and distribution of passenger data remains secure and protected.
The Passenger Name Record (PNR) directive has been in force since 2016, amid controversy surrounding the collection of personal passenger data, but following the Brussels and Paris terror attacks, which increased security significantly across the EU.
Rockwell Collins’ Adam Mottram said in a recent interview, ‘Combating the rise of global terrorism has led airlines to collect passenger information and deliver it to the receiving country. These [new] EU regulations are just the beginning of data processing, delivery and security of information required by EU member states and other countries.’
PNR information was originally used to compare flight passenger data, such as identity and flight destination/interlining data, against information held by security and border agencies around the world. The introduction of GDPR has enhanced PNR to further protect personal passenger data and to introduce new mandates to regulate the handling of potentially sensitive information to a new set of standards.
Some of the key changes include:
- PNR can only be used for the ‘fight against terrorism’
- It cannot contain information about ethnicity, race or religious beliefs
- It cannot contain political tendencies
- After six months, the data must be depersonalised by removing names, addresses and other contact information
- After five years, it must be deleted.
A new role has also been created under the new regulations, and from 25th May 2018, a Data Protection Officer (DPO) is required to fulfil compliance with the new standards for collection, storage, and distribution, in addition to ensuring all mandates are met in terms of data handling and subsequent storage.
Caroline O’Sullivan from the European Regions Airline Association (ERA) said, ‘GDPR marks a milestone in data protection laws as the EU takes a major step towards a digital single market and harmonizing data protection across member states.’
With pressure increasing for airports and airlines to meet the growing mandatory conditions or face significant fines, many operators are using automation within innovative solutions to ensure obligations are fulfilled across a diverse, multi-protocol environment.
‘As the fight against global terrorism continues,’ Mottram said, ‘demands for data become more complex. Each country has its own set of requirements including different data formats, time frames, and fines if the data doesn’t arrive on time.’
Rockwell Collins’ ARINC Border Management Solution is helping airports and airlines of all sizes to deliver compliance while meeting bottom-line budgetary needs. ‘We are helping airlines deliver PNR and API data using an automated system for establishing interoperability amongst the many systems that exist in the aviation industry and beyond,’ said Adam Mottram.
‘Our ARINC Border Management Solution includes a fast and simple integration process that captures raw data from reservation and departure control systems and delivers the data in the necessary format, with validation for each record received. This system helps ensure that airlines meet the PNR directive, so they don’t incur the penalties and fines now associated with GDPR.’