Be ready for GDPR

Author: Sander de Bree, Founder and CEO of EXSYN Aviation Solutions

Subscribe

EU General Data Protection Regulation and MRO/M&E software systems

The new European Union General Data Protection Regulation (GDPR) will become enforceable on the 25th of May 2018. A lot is being written about it and there are probably more speculative stories around on the topic. So, to help airlines and MRO/M&E understand how it might impact in them, here is a straightforward guide.

The new GDPR can be broken down into 13 specific issues:

• It will be applicable to all companies handling the data of EU citizens;
• The definition of personal data is now wider (genetic, mental, cultural, economic, social identity. IP Addresses);
• Obtaining consent for processing personal data must be clear;
• There will be a ‘right to be forgotten’;
• People on whom data is held (users) may request a copy of their data in portable format;
• A data protection officer (DPO) will be required for every organization holding data;
• Any data breach (incl. accidentally losing data) must be reported to the authorities within 72 hours;
• Products, systems and processes must consider privacy-by-design, i.e. as an integral element from the outset;
• There must be legal basis for collecting and processing data;
• Data holders must take reasonable data protection measures;
• Users have the right to know what data about them has been collected and processed;
• Only authorized individuals can access the data;
• Organizations are only allowed to record and/or hold data required for their business.

In this article we will focus on how these rules in the GDPR will impact the usage and functions of airline MRO/M&E software systems.

GDPR DEFINITION OF PERSONAL DATA
A key fact to consider here is that, according the GDPR definition of personal data, any airline MRO/M&E software system will effectively be classified as a system containing personal data based on the following criteria:

• User logins; containing very basic information such as first name, last name, email address;
• Staff records; depending on the depth and functionality of the MRO/M&E system, it can contain anything from emergency contacts to home address to company authorizations;
• Worktime registration on job/task cards; working times that are traceable to individual people;
• Shift planning; again, depending on the depth and functionality of the MRO/M&E system, it can contain anything from shift schedules to actual staff attendance times to reasons for leave and/or overtime.

In each of the above scenario’s GDPR will deem the MRO/M&E system as being a system that holds personal data. This does not necessarily mean there will be large problems for airlines and MROs. After all, one of the GDPR rules states that a company must have a legal basis to collect this data. We can presume this legal basis exists during the period of an employee performing work or being contracted by a company.

IMPACT OF GDPR ON DAY-TO-DAY WORK WITH MRO/M&E SOFTWARE
The rules that would more impact day-to-day work at airlines and MROs working with an MRO/M&E software solution are the following:

• Obtaining consent; every employee needs to give their consent that their data (or a portion thereof) can be stored in the MRO/M&E system. This consent can be given by means ranging from a written letter or a notification when logging into the MRO/M&E system.
• Right to be forgotten; every employee (or former employee) of the airline or MRO can file a request for his/her data to be anonymized or removed from the MRO/M&E system. Only when legal implications exist, e.g. for a CRS (Certificate of Release to Service) statement, is an airline or MRO eligible to refuse this request.
• Requesting a copy of the data; every employee (or former employee) has the right to request a copy of their data held in the MRO/M&E software. Whenever such a request is made, the airline or MRO needs to comply with the request.
• Right to know; every employee of an airline or MRO has the right to know what information about him/her is collected in the MRO/M&E system and what this data is being used for. Think of items such as the reason for collecting working times on Job cards/task cards.
• Authorization; only authorized staff are eligible to access the data. This means a thorough ‘access right’ structure needs to be in place and this needs to be actively managed.

Overall, and potentially more important, every company needs to have processes and policies in place that ensure their compliance with the new General Data Protection Act. This would mean that items such as how to handle a request for right to be forgotten need to be laid down in the airline or MRO procedures.

Contributor’s Details

Sander de Bree, CEO, EXSYN

Sander de Bree is founder and CEO of EXSYN Aviation Solutions; focusing on engineering and technical management solutions for aviation and heavily specialized in the field of IT systems for aircraft maintenance. Next to implementing the overall strategy he oversees all operational activities and actively participates in R&D projects within the company. Sander holds a degree in aeronautical engineering with a specialization in aviation regulations and has a background in business administration. He is a member of the Royal Dutch society of engineers (KIVI NIRIA) and associate to the society’s departments of aerospace engineering and information technology.