The GDPR what organisations in the transport sector need to do now

The GDPR: what organisations in the transport sector need to do now

On  25 May 2018, the EU’s General Data Protection Regulation (“GDPR”) came into effect across the  28 member states of the EU. The GDPR has had a significant impact on those who collect, use, share  and otherwise process “personal data.”

How is personal data used in the transport sector?

Predominantly, “personal data” means any information which relates to an identified or identifiable individual, generally  a passenger in this situation. It will include, for example, the passenger’s name and contact details; it will also (occasionally) include information about travel routes, vehicle usage, the dates and times passengers enter or exit a transport operational  network, and fares or toll information, passport or national ID.

The legislative upgrade  brought in by the GDPR has affected  businesses and organisations throughout  the transport sector, from rail or bus operators, airlines, passenger transport authorities, manufacturers of connected and autonomous vehicles, in-vehicle or on-board platform developers, to smart ticketing  

Understanding and using the information to an  advantage transport data nestles at the heart of recent developments in technological advancements within the industry.

Business development of intelligent traffic and mobility platforms are gathering  and sharing more personal data and the growth is exponential

For example, personal data can be used for:

  • increasing the efficiency of passenger flows within airport terminals via smart ticketing data and mobile phone or tablet analytics;
  • Developing city  planning and operations, through tracking of smart passes or connected and self governing  vehicles;
  • generating revenue from data, by providing it to third parties such as station or airport retailers, advertisers, mobile network operators or automotive service and parts suppliers. Retailers within airports are using wifi analytics of mobile devices to push those last minute shopping offers directly to the passengers as they pass the shop.

It is essential though, that transport businesses and organisations understand and comply with the GDPR, not least because there will be increased penalties for non-compliance, including (in the worst cases)fines of up to €20 million or 4% of worldwide turnover. If we look at Dubai Duty Free (DDF) as an example it  announced ‘record-breaking’ annual duty free sales of $1.93bn (€1.61bn) for 2017, so you can see how a fine in the worse case scenario would hit DDF to the tune of over $77M. If the maximum fine was applied.

Less of the bad news complying with the GDPR and being transparent about how it collects and shares data  can also deliver significant business benefits. Passengers will be more willing to provide their data, and for different uses, if they trust organisations to handle it fairly, securely and responsibly.

Key areas of impact for the transport sector

Clients are already talking to us about impacts in the following areas:

  • use of smart ticketing data e.g. on fares / tolls or on Mobility as a Service projects;
  • use of vehicle tracking and/or road charging data;
  • Insurance companies measuring a drivers ability.
  • vehicle sharing / service models – addressing issues of different drivers and passengers using a vehicle;
  • legally compliant methods for storing geolocation data or mobility patterns;
  • ensuring data security within intelligent transport systems;

Next steps

The impact areas highlighted above are just some of the considerations for transport businesses and organisations. Performing a GDPR full assessment transport businesses and organisations must:

  • give careful consideration to what personal data they collect and how they use, share and otherwise process it;
  • review their existing supplier and other agreements to ensure that they meet the more onerous requirements of the GDPR, and properly allocate risk between the parties;
  • ensure that they have a GDPR-compliant privacy policy explaining (amongst other things) what personal data is collected, for what purposes, and how it is shared;
  • ensure that they implement the principle of privacy (or data protection) by design, which means that data protection should not be an afterthought or an issue casually considered at the end of a project or procurement of a new system; it must be central to the way that organisations plan and operate; and
  • put in place those other policies, procedures and governance structures which will be needed – together with relevant training – to ensure on-going compliance.

If you would like to discuss the GDPR, or any of the issues raised by it, please contact one of our experts by calling

+44 (0) 121 262 4024 or emailing

Sharing is caring!

error: Content is protected !!