Compliance and storage in the airline industry

Airlines must manage multiple sources of data to comply with legal and industry requirements, and anti-terrorism measures

In these times of sensitivity to terrorism, airlines must comply with numerous state security requirements that track individuals and their movements. And they must also comply with regulations that protect customer data and individual privacy, such as PCI-DSS and the UK Data Protection Act. They must deal with their own customer preferences and marketing data. To top it all, they operate internationally and so must face issues of data compliance across several borders.

In this podcast storage editor Antony Adshead talks to Vigitrust, CEO Mathieu Gorge, about the compliance requirements facing airline industry operators and the implications for storage and backup.

Antony Adshead: What compliance requirements does the airline industry face?

Mathieu Gorge: Other than nations’ security obligations with regard to fighting terrorism and managing no-fly lists and being able to trace who’s been flying from where to where for legal reasons, there are specific compliance requirements with regard to data protection, from the legal and industry perspectives.

So, from a data protection perspective in the UK there is the Data Protection Act, in the European Union (EU) there is the upcoming data protection regulation. There are also international regulations with the challenge of transferring data from the EU to other areas such as the US and Asia.

Also, there is the overarching challenge of industry regulations such as PCI-DSS, which bring with it specific requirements such as data retention. In addition, the commercial airline industry is also subject to freedom of information regulations, depending on how it is set up in different countries.

So, it has unique challenges in that airlines tend to collect huge amounts of data. An airline is going to have airports with ticket desks and kiosks and travel agents working on behalf of the airline or owned by the airline. There will be data that’s collected in-flight, via for example, internet access or purchases in-flight. Then you’ve got online data; about trips, personal data, credit card data, travel preferences, geo-location data etc.

An additional challenge is that a lot of the data being collected is still paper-based. The airline industry is digitising, but there is still a good deal of paper data.

So, for the big data analytics that’s required for an airline there are some specific challenges and they need to be addressed the right way.

Storage and backup

Adshead: What are the implications of these for storage and backup?

Gorge: Well, as with every large organisation airlines need to be able to map the ecosystem that they use and how data flows from one area to the other. Once they’ve done that they then need to classify that data, so some data will be required for legal and security purposes.

Other data will be required by the airline for its own big data analytics for marketing and sales purposes. And then there is other data required from a data protection perspective.

So, all that data needs to be classified. Once you’ve done that, you can have a look at the storage per type of data.

There are some specific challenges with regard to the technical classification of data and how you manage that data in the airline industry. Data needs to be timestamped and found quickly, making sure the data is accurate; for E-discovery for example, the requests are extremely time-sensitive.

With the amount of data an organisation like an airline might have on specific travellers, for example, they need to make sure they get to that data the right way, as fast as possible. And what I mean by the right way is that it needs to be on need-to-know access only.

Risk management

Security is paramount for this industry and so access to the data that might be backed up or stored presents a huge risk for airlines.

Another challenge is around data created by two airlines merging. The airline industry has been consolidating for the past few years and when we see two giant airlines joining forces, from the data perspective it means they could double the size of backup and storage. So, where is the data and how do you get access to it?

The advice would be that on a yearly basis they get an independent view of their data flow mapping and security of the data at three different levels; at-rest; in-transit; and, in future, of encrypted data in use, which is very topical in 2014.

At the very least, all airlines should be PCI-DSS compliant. Most are, but not all of them. PCI-DSS can help provide them with a good framework for mapping the data and looking at the data at-rest and in-transit. This is really a baseline, as it is with complying with the Data Protection Act, from a storage perspective, for the airline industry, because frankly, if it can’t protect credit cardholders’ data, then one could be worried about other types of data.

So, the last word on that is that classification is key for the airline industry. They need to know where data is coming from, where it is going to and how it is going to be stored, really with a key emphasis on need-to-know access only.

Read more on Data protection regulations and compliance