As more countries follow the lead and enact data privacy laws similar to the European Union’s General Data Protection Regulation (GDPR), the impact is being felt by industries and companies around the globe—including Business Aviation.

In this article, we’re going to cover some areas you need to think about in regard to how various data privacy laws may impact your operation.

You Are Likely Processing Personal Data

In some countries, like the United States, historically only a limited scope of data has been protected (i.e. health and financial data).  It is important to note that many countries’ (i.e. GDPR, the Brazil General Data Protection Law, and China’s Personal Information Protection Law), definitions of personal data are very broad to include any data that could directly or indirectly identify a person.  Even if you only have someone’s name and business contact information, you could be subject to the law.  In addition, the laws are changing rapidly in the U.S. as many states, most notably California, have enacted legislation to expand data privacy protections to the EU’s golden standard.

Some Laws Apply to You Even if You Are Not Located in Those Countries

Many data privacy laws are written so that they apply to any company that is processing the data of their citizens, regardless of where the company is located.  Even if there is not a comprehensive data privacy law in your jurisdiction yet, if you transport passengers or utilize crew members from other countries or states, data privacy laws outside of our jurisdiction may apply to you.

You Have a Duty to Vet Your Service Providers

Think about the service providers you work with—trip support providers, FBOs, caterers, ground transportation providers, etc.  For most of these service providers, you will need to provide personal data of your passengers and crew to facilitate the trip.  Under most data privacy laws, you remain fully liable for any service providers that you provide with personal data.  This means that if your service provider loses the personal data (i.e. suffers a data breach), you could be held liable even if it was solely the service provider’s fault.  Therefore, it is crucial that you conduct due diligence on all of your service providers to ensure they have state-of-the-art data privacy and security programs.

What is Universal Doing?

At Universal, we take regulatory compliance very seriously, as well as the security of the information our customers share with us. With this in mind, are very focused on data privacy laws, and here’s some of things we’ve done:

• We’ve updated our privacy policy so our customers know exactly how their data is being used.
• We’ve enacted various internal procedures to ensure that our customers’ data is processed in accordance with data privacy laws.
• We’ve updated our Terms and Conditions that we set with our ground handlers and ground transportation partners so that they will know their obligations with respect to your data.
• We’ve appointed a Data Protection Officer and an Assistant Data Protection Officer to oversee our privacy program and to be on hand to respond to our customers’ questions.
• We’ve implemented data privacy training for our 1,700+ employees worldwide so they understand the importance of protecting your data.
• We’ve obtained ISO 27001 certification to demonstrate that we are a supplier who meets high-security standards.

Closing Thoughts

As data privacy laws continue to expand, it is nearly impossible now to avoid compliance – if you are a global operator there is likely one or more data privacy laws that apply to you.  If you haven’t already, we encourage you to consult with your attorney to understand how various data privacy laws impact on your specific operation.