Data privacy and data protection
DATA AND IT SYSTEMS PROTECTION
IT is at the heart of all our activities: passenger booking, flight schedule management, baggage checking, ticket prices, aircraft maintenance, and crew information.
Privacy and data protection constitute a major economic and professional challenge for the business and for customer trust.
Air France-KLM manages its cybersecurity risks with the national authorities and cooperates with the appropriate European Agencies (EASA, ENISA). The group also takes part in the cybersecurity workshops of the main air transportation professional associations (IATA, A4E, GIFAS) and contributes to research with associations specialized in cybersecurity (CLUSIF, CESIN, CIGREF, R2GS, European Aviation ISAC).
Thanks to benchmarking and ratings provided by an independent cyber rating agency, Air France-KLM can be viewed in relation to other companies in the air transportation industry. In December 2019, the Group was ranked among the leading large companies. Air France-KLM also uses the expertise of leading consultants on the cybersecurity market and actively cooperates with companies with which its information system is connected.
To offer the best level of protection on the ground and in the air, the Air France-KLM Group has been developing four major cybersecurity programs in recent years :
- A program directed at more efficient cybersecurity measures that would enable Air France to respond to the unfolding cyber threats.
- An awareness-raising program for all staff that was aimed at developing cybersecurity culture and helping Air France-KLM employees to acquire the right behaviors in their digital environment.
- A program that was to ensure regulatory conformity.
- A program to support digital transformation that will provide for a simplified user experience.
An annual presentation on these programs is made to the Executive Committee and to the Audit Committee, guaranteeing sponsorship at the highest level of the company. These programs are supported by Cybersecurity Governance composed of:
- A cybersecurity regulatory framework for ground and on-board IT systems (safety policy based on a series of international ISO 27000 regulations and other standards or regulations concerning the company’s business).
- An annual monitoring plan for risks linked to the digital technologies (audits) and testing of the Cyber Crisis mechanism overseen by the Operations Control Center and the Authorities.
- There are three executive committees that complement each other’s tasks. The group’s IT Executive Committee evaluates the coherence between the cyber risks and investment in IT. The Cyber Plane Committee chaired by the responsible officer decides on the orientations to be adopted to reduce the potential cyber risks for flights. Lastly, the Safety Performance Committee, chaired by the Head of Safety, evaluates the effective mitigation of generic safety risks and, consequently, cybersecurity.
- A report on the residual cybersecurity risk in the major operational risks assessment worksheet, managed by the Internal Control Department.
Since May 2018, the GDPR (General Data Protection Regulation) is in force which also requested further actions from our company. Rights for data subjects were extended and strengthened accountability and obligations for data controllers were implemented, requiring proof of compliance on personal data protection. Air France and KLM chose to deploy a broad-ranging program to reinforce their rigorous cybersecurity policies and defined a strengthened personal data management framework to ensure compliance with privacy by design and by default principles. While the design and implementation of the governance, policies and register had been broadly completed in 2018, this program was pursued throughout 2019 with the focus more on operational effectiveness.
In January 2019, responsibility for privacy compliance was formally transferred to business departments within the company, represented by the members of the Air France Executive Committee and the KLM Executive Committee as Internal Data Controllers. The other roles of Internal Data Processing Owner and Privacy Coordinator have been further developed.
Regular meetings between the Privacy Coordinators and the DPO teams were established, in further support of effective governance. The second wave of e-learning was also extended to Air France and KLM employees who are involved in developments and initiatives relating to the use of personal data.
The effectiveness of the overall privacy compliance framework is assessed on a regular basis through a dedicated internal audit program. This framework was improved in 2019, but still needs to be strengthened hence further enhancements will be implemented in 2020. In 2019, alongside with of GDPR requests sent directly to the companies, Air France and KLM registered and handled a total of “15 complaints” concerning personal data complaints, 3 came from outside parties, 2 came from the Dutch DPA (Autoriteit Persoonsgegevens) and 10 came from the CNIL (which is the reference authority in France).