Aviate, Navigate, Communicate – Concord Compliance post-GDPR

2018 has been a horror for aviation and data breaches. British Airways, Cathay Pacific, Air Canada, Delta Airlines and Arik Air all fallen victim to major data breaches. In the case of British Airways, a 15-day cyber attack in July compromised 244,000 credit card details. The breach sparked a criminal inquiry by the National Crime Agency (NCA) and BA now faces a maximum fine of nearly £500 million, with the Information Commissioner’s Office (ICO) investigating the incident.

Why is aviation a high risk sector?

Airlines, airports and their service providers process millions of passenger, crew and employee information, customer lists, details of business contacts and sensitive business information across hundreds of jurisdictions. The complex and international nature of aviation and the detailed nature of the personal data required to participate, often across national borders, make aviation an attractive target to attackers, and a difficult one to defend by security professionals.

How should Data Protection Officers react?

According to the Federal Aviation Agency, pilots are given the following priorities: Aviate, Navigate, Communicate. Data Protection programmes within aviation can be analogously prioritised in the same way:


“The top priority — always — is to aviate. That means fly the airplane by using the flight controls and flight instruments to direct the airplane’s attitude, airspeed and altitude. The instruments directly in front of the pilot provide important information on how well the pilot is doing with respect to basic aircraft control”

For a Data Protection Officer, basic aircraft control means being able to answer: ‘What data do I have? Where is it? Who has access to it? How is it secured?’. With an oversight of data, DPOs can then start to develop insight.

For that initial oversight, data discovery technology is being turned to as the answer. According to the 2018 EY-International Association of Privacy (IAPP) Information Governance report:

  • Amongst companies preparing for GDPR, 57% are investing in technology in 2018, up from 27% in 2016.
  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.

As the aviation industry comes under increasing scrutiny for the security of its data practices, the minimum that is expected is for those at the helm to have an accurate oversight of their data.


Figure out where you are and where you’re going. Turn oversight into insight.

For data protection officers, navigation is about understanding where privacy risk lies, and what needs to be done to mitigate it. Is it in the sales and marketing platform with 8 million passengers? The HR department with the pilots’ files? The partnership programme with the right to work documentation?

Understanding privacy risk means understanding the context of data. To do this, DPOs need to ensure that the uses of data are legitimate, that the reasons for processing are documented, and that the processes are mapped and understood.

  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.

By mapping the business process, DPOs can develop a real, intuitive understanding of where privacy risk lies in the organisation, mapped to a business process that is described in language that the rest of the organisation can understand.


Make sure your passengers are aware of standard safety procedures and know what to do in the event of an emergency landing.

Once you’ve mapped your data to your business processes, you can articulate expected data practices for each of those processes, allowing you to deliver tailored training for data protection for your different sets of employees.

The better the oversight and insight into the data estate by the DPO, the better communicated the messages for data protection will be.

In 2018, periodic training and manual data audits have their limits. With new solutions available, creating rules within a data discovery technology to automatically monitor for acts of non-compliance is the way to give the DPO the level of oversight and insight needed to best protect data.

For concord compliance: aviate, navigate, communicate.

John Tsopanis
Data and Privacy Director, Exonar