Unless you’ve been living under a rock, you’ll be aware that data laws in Europe are changing with the introduction of the General Data Protection Regulation (GDPR). The past few years have seen stories surface from every industry about companies using user data for purposes other than originally specified, and that’s exactly what GDPR is designed to bring an end to.
GDPR requires companies across every sector update the way they process and share personal data. This isn’t necessarily a bad thing, however. As the UK information commissioner, Elizabeth Denham explained: “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”.
So while the new laws don’t mark a drastic change in the way companies handle data, updating outdated personal data laws across the EU has been long overdue. The previous data protection laws, brought into place in the ‘90s, have struggled to maintain pace with the developments of the past decade. It’s worth noting that it’s not just companies based in the EU that are subject to the new data protection regulations. GDPR isn’t directed at European companies but at the data and information of EU citizens.
Data protection in transport
Of course, any company that provides WiFi as a secondary service will already have a data protection plan in place. For transport companies with onboard WiFi services, protecting the data of its passengers is essential to maintaining trust. For companies operating across EU countries (and even for those operating in the UK, providing services to EU citizens post-Brexit), it’s vital they ensure all of their services align with the new regulations.
In the transport industry, it’s essential when seeking permissions from passengers to be transparent in what data is gathered and how it’s used. Transport networks can ensure this by updating their terms & conditions on the initial login page. These T&C’s must also provide clear instructions on how passengers can opt-out of providing this data at any time.
Providing they agree to some form of data gathering, it must not fall into the category of personal data, which includes:
- Basic information such as name, address and ID numbers
- Web data such as IP addresses and cookie data, Health, biometric and genetic data
- Racial, ethnic and sexual orientation
- Political opinions, religious beliefs, and union memberships
Prior to GDPR, companies still had to adhere to collecting only depersonalised information. Transport companies such as Transport for London (TfL) gather information like an encrypted version of the device MAC address, the date and time the device broadcast its MAC address, the access point it’s connected to, the device manufacturer and the device association type.
Protecting passenger privacy
Of course, protecting passenger data should be an integral aim of any company. Numerous data scandals have weakened the public’s faith in corporations’ ability (or willingness) to use their data responsibly. In transport, where thousands of passengers can connect for a short period every day, the need to maintain an open and transparent data-collection process is just as vital. After all, when passengers can trust the company they are travelling with is using their data responsibly, they’ll be more likely to consent to provide it.
The anonymised data gathered through onboard WiFi use can be useful for both passengers and transport companies. Bus and coach networks can use it to better understand the passenger journey, which can then go on to inform schedules, routes and the size of vehicles. Meanwhile, passengers can benefit from the increased efficacy of routes and enjoy wider access to different services. With GDPR in effect, passengers will need to specify the kind of data you can gather, but this doesn’t necessarily mean transport networks will have access to less information.
One of the most significant aspects of the new data protection rules; if there is a data breach of one of your customers, all parties responsible must report the breach within 72 hours to relevant authorities. A breach is defined as any loss, alteration or unauthorised access of personal data.
Always seek permission
GDPR explicitly forbids restricting access to a wireless network on the basis of a customer providing personal data. That means wireless network services must be provided without the condition of providing personal data.
The central aim of GDPR is to prevent companies from providing the personal data of its users to third party marketing companies, without first seeking consent. Consent can only be given when the user is provided with specific, clear information on how this data will be used.
For passengers, the new GDPR rules will likely have little effect on the overall browsing experience. Users will be asked to decide the amount of data they wish to provide when they first connect. With their chosen settings, passengers can enjoy secure browsing without the need to worry about who has access to their personal data.
Transport companies have an array of tools to make their business data compliant. The Information Commissioner’s Office (ICO) website includes a section on understanding GDPR with a dedicated advice line. The ICO also includes a handy document on GDPR guidance and a ‘lawful basis’ tool that aims to give businesses tailored guidance on the legal basis’ for the different data processing protocols.
What it means for your business
Of course, companies that previously relied on revenue gained from third-party marketing companies to offset the cost of providing WiFi will now no longer be able to do so. Whilst some wifi providers have a case for processing some user data, public transport networks rarely fall under this category.
On first glance, the options for transport networks looking to provide WiFi are extremely limited:
- Provide WiFi on a pay-to-use basis
- Continue to provide WiFi without the benefit of revenue from third-party marketing companies
- Stop providing WiFi altogether
While none of these options is ideal, they aren’t the only choices available. The introduction of GDPR has seen an uptick in the use of Federated Identity Management (FIM) technology among public Wi-Fi providers. FIM relies on an independent common federated authority to manage the identity of a user. With no need to store any customer data, FIM offers a solution to WiFi providers looking for cost-effective GDPR compliance.
Besides this, transport networks can still gain valuable insights from anonymised metrics. Providing passengers consent to non-personal data-gathering through your WiFi, you can use that data to better understand elements like:
- The average number of users at key times
- The average browsing time
- Onboard data usage
- Mobile ticketing uptake
The insights gained through these diverse datasets can go on to improve passenger experiences and ultimately develop a more streamlined, passenger-focused service; and that’s something everyone can agree to.