On 25 May 2018, the EU’s General Data Protection Regulation (“GDPR”) came into effect across the 28 member states of the EU. The GDPR has had a significant impact on those who collect, use, share and otherwise process “personal data.”
How is personal data used in the transport sector?
Predominantly, “personal data” means any information which relates to an identified or identifiable individual, generally a passenger in this situation. It will include, for example, the passenger’s name and contact details; it will also (occasionally) include information about travel routes, vehicle usage, the dates and times passengers enter or exit a transport operational network, and fares or toll information, passport or national ID.
The legislative upgrade brought in by the GDPR has affected businesses and organisations throughout the transport sector, from rail or bus operators, airlines, passenger transport authorities, manufacturers of connected and autonomous vehicles, in-vehicle or on-board platform developers, to smart ticketing
Understanding and using the information to an advantage transport data nestles at the heart of recent developments in technological advancements within the industry.
Business development of intelligent traffic and mobility platforms are gathering and sharing more personal data and the growth is exponential
For example, personal data can be used for:
- increasing the efficiency of passenger flows within airport terminals via smart ticketing data and mobile phone or tablet analytics;
- Developing city planning and operations, through tracking of smart passes or connected and self governing vehicles;
- generating revenue from data, by providing it to third parties such as station or airport retailers, advertisers, mobile network operators or automotive service and parts suppliers. Retailers within airports are using wifi analytics of mobile devices to push those last minute shopping offers directly to the passengers as they pass the shop.
It is essential though, that transport businesses and organisations understand and comply with the GDPR, not least because there will be increased penalties for non-compliance, including (in the worst cases)fines of up to €20 million or 4% of worldwide turnover. If we look at Dubai Duty Free (DDF) as an example it announced ‘record-breaking’ annual duty free sales of $1.93bn (€1.61bn) for 2017, so you can see how a fine in the worse case scenario would hit DDF to the tune of over $77M. If the maximum fine was applied.
Less of the bad news complying with the GDPR and being transparent about how it collects and shares data can also deliver significant business benefits. Passengers will be more willing to provide their data, and for different uses, if they trust organisations to handle it fairly, securely and responsibly.
Key areas of impact for the transport sector
Clients are already talking to us about impacts in the following areas:
- use of smart ticketing data e.g. on fares / tolls or on Mobility as a Service projects;
- use of vehicle tracking and/or road charging data;
- Insurance companies measuring a drivers ability.
- vehicle sharing / service models – addressing issues of different drivers and passengers using a vehicle;
- legally compliant methods for storing geolocation data or mobility patterns;
- ensuring data security within intelligent transport systems;
The impact areas highlighted above are just some of the considerations for transport businesses and organisations. Performing a GDPR full assessment transport businesses and organisations must:
- give careful consideration to what personal data they collect and how they use, share and otherwise process it;
- review their existing supplier and other agreements to ensure that they meet the more onerous requirements of the GDPR, and properly allocate risk between the parties;
- ensure that they implement the principle of privacy (or data protection) by design, which means that data protection should not be an afterthought or an issue casually considered at the end of a project or procurement of a new system; it must be central to the way that organisations plan and operate; and
- put in place those other policies, procedures and governance structures which will be needed – together with relevant training – to ensure on-going compliance.