Airlines Under Pressure to Meet GDPR and PNR Compliance


Airlines today are facing numerous complex compliance requirements in an effort to minimize global threats from terrorism. The European Union (EU) is leading the charge with the General Data Protection Regulation (GDPR). The regulation requires compliance across industries and geographies. Specifically for airlines, it includes the Passenger Name Record (PNR) directive, which has far reaching implications for the industry. Enforcement of both of these regulations will be in effect by May 25, 2018, requiring airlines to make changes to how they capture, store, and disseminate data across their network.

“Combating the rise of global terrorism has led airlines to collect passenger information and deliver it to the receiving country,” according to Adam Mottram, who oversees marketing and strategy for Rockwell Collins IMS’ Commercial Aviation & Network Services.

Gathering of passenger data is a controversial issue, but the European Union passed the directive in 2016, shortly after the terror attacks in both Brussels and Paris. Security, which was always a key concern, became even more of a priority at that point.  The EU-wide regulation requires airlines to capture data on each passenger including identification information, booking details such as flight destination and more. This information is then compared against the data in law enforcement databases to assist with preventing, detecting, and investigating terrorism and other crimes.

Today, the PNR directive is being extended in an effort to protect passenger data and regulate the handling of personal identification information. Following the new mandate, the handling of this information must meet the EU’s standard. PNR data can be processed only for the fight against terrorism and cannot include information about a passenger’s race, ethnicity, political, or religious beliefs, among other traits.

Oversight of the processing of PNR data requires an independent national supervisory authority. In addition, as of May 25, 2018, the EU will require that the storage and processing of PNR data follow a new set of standards for compliance. Data must be deleted after five years and depersonalized by masking out personal data including name, address, contact information, after six months.

According to European Regions Airline Association’s (ERA) Caroline O’Sullivan, “GDPR marks a milestone in data protection laws as the EU takes a major step towards a digital single market and harmonizing data protection across member states.” This move towards one standard of collecting, processing, storing, and securing data requires that airlines appoint a role that assures the airline is complying with the standards. ERA recommends that airlines share best practices to achieve compliance and agrees with IATA in that airlines should put in place a Data Protection Officer (DPO) to handle this component of data compliance.

“These EU regulations are just the beginning of data processing, delivery and security of information required by EU member states and other countries,” predicts Mottram. “As the fight against global terrorism continues, demands for data become more complex. Each country has its own set of requirements including different data formats, time frames, and fines if the data doesn’t arrive on time.”

As airlines are under pressure to meet these growing demands, they are looking for solutions to help automate the process and ensure delivery of data to the diverse communications systems across the globe.

“We are helping airlines deliver PNR and API data using an automated system for establishing interoperability amongst the many systems that exist in the aviation industry and beyond,” said Mottram. “Our ARINC Border Management Solution includes a fast and simple integration process that captures raw data from reservation and departure control systems and delivers the data in the necessary format, with validation for each record received. This system helps ensure that airlines meet the PNR directive so they don’t incur the penalties and fines now associated with GDPR.”