Data privacy and data protection
DATA AND IT SYSTEMS PROTECTION
IT is at the heart of all our activities: passenger booking, flight schedule management, baggage checking, ticket prices, aircraft maintenance, and crew information.
Privacy and data protection constitute a major economic and professional challenge for the business and for customer trust.
Air France-KLM manages its cybersecurity risks with the national authorities and cooperates with the appropriate European Agencies (EASA, ENISA). The group also takes part in the cybersecurity workshops of the main air transportation professional associations (IATA, A4E, GIFAS) and contributes to research with associations specialized in cybersecurity (CLUSIF, CESIN, CIGREF, R2GS, European Aviation ISAC).
Thanks to benchmarking and ratings provided by an independent cyber rating agency, Air France-KLM can be viewed in relation to other companies in the air transportation industry. In December 2018, the Group was ranked among the leading large companies. Air France-KLM also uses the expertise of leading consultants on the cybersecurity market and actively cooperates with companies with which its information system is connected.
To offer the best level of protection on the ground and in the air, the Air France-KLM Group has been developing four major cybersecurity programs in recent years:
- A program directed at more efficient cybersecurity measures that would enable Air France to respond to the unfolding cyber threats.
- An awareness-raising program for all staff that was aimed at developing cybersecurity culture and helping Air France-KLM employees to acquire the right behaviors in their digital environment. Moreover, this program also was also directed at mobilising the collective intelligence of each team through an online, easy-to-use thirty-minute module, free of technical language.
- A program that was to ensure regulatory conformity.
- A program to support digital transformation that will provide for a simplified user experience.
An annual presentation on these programs is made to the Executive Committee and to the Audit Committee, guaranteeing sponsorship at the highest level of the company. These programs are supported by Cybersecurity Governance composed of:
- A cybersecurity regulatory framework for ground and on-board IT systems (safety policy based on a series of international ISO 27000 regulations and other standards or regulations concerning the company’s business).
- An annual monitoring plan for risks linked to the digital technologies (audits) and testing of the Cyber Crisis mechanism overseen by the Operations Control Center and the Authorities.
- There are three executive committees that complement each other’s tasks. The group’s IT Executive Committee evaluates the coherence between the cyber risks and investment in IT. The Cyber Plane Committee chaired by the responsible officer decides on the orientations to be adopted to reduce the potential cyber risks for flights. Lastly, the Safety Performance Committee, chaired by the Head of Safety, evaluates the effective mitigation of generic safety risks and, consequently, cybersecurity.
- A report on the residual cybersecurity risk in the major operational risks assessment worksheet, managed by the Internal Control Department.
In 2018, a new European regulation to protect personal data, the GDPR (General Data Protection Regulation), came into force. It replaced the existing laws in both France and the Netherlands with, on one hand, expanded rights for data subjects and, on the other hand, strengthened accountability and obligations for data controllers, requiring proof of compliance on personal data protection.
As data controllers, Air France and KLM chose to deploy a broad-ranging program to ensure the implementation of the GDPR requirements across all businesses and at every level of the organization. This program led to the creation of more rigorous cybersecurity policies, as well as a strengthened personal data management framework whose design and default principles would ensure privacy compliance.
Governance Board convenes Data Privacy Officers from both Air France and KLM who work in close cooperation with the existing Boards to ensure full operational compliance. The program developed new tools and frameworks within the business processes to manage the GDPR requirements. To ensure precise procedures to guarantee legal compliance, these requirements and the compliance mechanisms were the subject of an in-depth review by external lawyers.
By 2018, the Air France-KLM Group had attained an adequate level of GDPR compliance, the Group’s employees and suppliers having succeeded in changing their practices to ensure respect of all the requirements in their day-to-day activities. All the Group’s projects and contracts are underpinned by a robust GDPR framework to which the management has committed. The implementation of the overall framework will continue in 2019, incorporating the new guidelines as published by the Data Protection Authorities.