At the 25th of May 2018 the new European Union – General Data Protection Regulation (GDPR) will become enforceable. A lot is being written about it and probably more stories float around on it. Basically, the new GDPR can be broken down into 13 specific items that are addressed:

The 13 GDPR items: 

  • Applicable to all companies handling data of individuals of the EU
  • Definition Person data is now wider (genetic, mental, cultural, economic, social identity. IP Addresses)
  • Obtaining consent for processing personal data must be clear
  • Right to be forgotten
  • User may request a copy of their data in portable format
  • DPO required (data protection officer)
  • Report data breach (incl. accidental losing data) with 72 hours to authorities
  • Product, system and process must consider privacy-by-design
  • Must be legal basis for processing data and the collection
  • Reasonable data protection measures
  • Right to know what has been collected and processed
  • Only authorized individuals can access the data
  • Only allowed record data required for business

In this article we will zoom into the aspect of how these set of rules in the GDPR will impact the usage and functions of Airline MRO/M&E software systems.

GDPR definition of personal data

A key fact to consider here is that according the GDPR definition of personal data, any airline MRO/M&E software system will effectively be classified as a system containing personal data based based on the following criteria:

  • User logins; containing very basic information such as first name, last name, email address
  • Staff records; depending on the depth and functionality of the MRO/M&E system can contain anything from emergency contacts to home address to company authorizations
  • Worktime registration on job/task cards; working times that are traceable to individual people
  • Shift planning; again, depending on the depth and functionality of the MRO/M&E system can contain anything from shift schedules to actual staff attendance times to reason for leave or overtime.

In each of the above scenario’s the new GDPR will deem the MRO/M&E system as being a system that holds personal data. This does not directly mean that large problems loom on the horizon for airlines and MRO’s. After all, one of the GDPR rules states that a company must have a legal basis to collect this data. Presumably, this legal basis exists during the period of an employee performing work or being contracted by a company.

Impact of GDPR on day-to-day work with aMRO/M&E software

The rules that would more impact day-to-day work at airlines and MRO’s working with a MRO/M&E software are the following:

  • Obtaining consent; every employee needs to provide their consent that their data (or a portion thereof) is stored in the MRO/M&E system. This consent can be given my means ranging of a written letter or a notification when logging into the MRO/M&E system
  • Right to be forgotten; Every employee (or former employee) of the airline or MRO can fill a request for his/her data to be anonymized or removed from the MRO/M&E system. Only when legal implications exist (e.g. CRS statement) an airline or MRO is eligible to refuse this request
  • Requesting a copy of the data; Every employee (or former employee) has the right to request of copy of the data held in the MRO/M&E software. Whenever such a request is made, the airline or MRO needs to comply with the request
  • Right to know; every employee of an airline or MRO has the right to know which information of him/her is collected in the MRO/M&E system and where this data is being used for. Think of items such as the reason for collecting working times on Job cards/task cards
  • Authorization; only authorized staff are eligible to access the data. This means a thorough access right structure needs to be in place and this needs to be actively managed.

Overall, and potentially more important, every company needs to have processes and policies in place that ensure their compliance with the new General Data Protection Act. This would mean that items such as how to handle a request for right to be forgotten need to be laid down in the airline or MRO procedures.