Rules on the protection of personal data will be tightened next month, with fines of up to 4% of annual global turnover or €20m for any organisation which fails to comply. Rhodri Clark reports


Oyster didn’t exist when the Data Protection Act was passed


This article may seem to be yet another one about red tape for transport managers but before you turn the page or fall asleep, take a moment to consider how your company would be affected if it were fined up to 4% of annual global turnover or 20m – whichever is greater.

That is the level of fines which will be imposed on any organisation failing to keep personal data secure, once the European Union’s General Data Protection Regulation comes into force on May 25. It replaces the Data Protection Act 1998, under which fines were relatively insignificant, such as the £400,000 fine which phone company TalkTalk had to pay after failing to protect customers’ details from a cyber attack in 2015. Had the GDPR been in force then, TalkTalk’s fine would have exceeded £70m.

Some of the large groups which operate bus and rail services in Britain could, in theory at least, be fined hundreds of millions of pounds if any one of their subsidiaries fails to protect personal data. Fines under the GDPR are related to global turnover rather than the turnover of the individual business at fault. At the other end of the scale, even a small bus and coach operator would be liable for a maximum fine of almost £18m (20m ) in the event of a data security breach.

The fines are potentially large enough to put some companies out of business, but that is not the limit of the financial liability. UK organisations will have to report every serious data security breach to the Information Commissioner’s Office (ICO). If the breach would probably result in a high risk to people’s rights and freedoms, the organisation responsible must also report the breach to all of the individuals whose data was affected – each of whom may be able to claim compensation.

There are already firms of lawyers who specialise in bringing mass data breach claims arising from well publicised data breaches

According to Patrick Arben, of international law firm Gowling WLG, UK claims for data breaches are on an upward trend now, even before the GDPR ushers in tougher reporting requirements. “There are already firms of lawyers who specialise in bringing mass data breach claims arising from well publicised data breaches,” he warns. “This new claims industry is very likely to expand massively post-GDPR, for the simple reason that under GDPR it will be mandatory to report data breaches to the ICO.”

There is no prospect that the GDPR or equivalent rules will vanish when the UK leaves the EU. According to Transport for London’s data protection experts, non-EU countries such as Canada and Japan have already implemented similar laws, partly to facilitate cross-border exchanges of personal information.

In a nutshell, the GDPR is the somewhat belated regulatory response to the explosion in the amount of personal data which is routinely collected, stored and used, thanks to technological innovations such as mobile internet connectivity and development of sophisticated algorithms. In the passenger transport world, this revolution is manifested in the electronic systems which have replaced coins and paper tickets for many journeys. Oyster didn’t exist when the Data Protection Act was passed, but by 2016 there were 3.8 million registered Oyster cards.

Alongside the GDPR is a new ePrivacy Regulation, which mainly applies to companies which provide online and electronic communications services. TfL expects this to have implications for how it uses data collected from mobile devices connecting to London Underground’s Wi-Fi service.

Our members are at various stages of readiness for the forthcoming changes and over the past six months we have provided them with regular updates and briefings on what they need to do and how best to prepare.

CPT operations director Keith McNally is under no illusions about the scale of the changes which bus and coach operators face. “GDPR presents the biggest challenge in data protection laws for CPT members in a generation,” he says. “Our members are at various stages of readiness for the forthcoming changes and over the past six months we have provided them with regular updates and briefings on what they need to do and how best to prepare.

“The GDPR accountability principle will take bus and coach operators’ compliance regimes in this area to a whole new level. At recent regional and national CPT meetings, we have continued to remind members of the importance of being compliant with the GDPR regulations. They fully understand that a failure to do so may not only result in statutory fines being issued, but it could lead to a loss of customer trust and confidence in your brand, which in turn will have serious repercussions for the business.

“Bus and coach operators requiring specialist advice and support on GDPR are advised to contact one of our many supplier members who provide expertise in this area.”

A Rail Delivery Group spokesman says that train operating companies have been working individually, or within their owning groups, to ensure that they comply with the GDPR in May. “There hasn’t been a cross industry approach to this.”

All TOCs are part of larger owning organisations which have their own resources to manage data security and prepare for the GDPR’s introduction. However, the same cannot be said for many bus and coach operators.

Gowling WLG director Helen Davenport says: “A challenge for smaller companies is that they may well not have the access or budget to pay for IT support, or for that matter other advice on compliance. However, size or lack of resource are by themselves no defence to a breach of personal data security. Organisations should be responsible for adopting structures and resources adequate to the nature and complexity of their business.”

She says the ICO has a dedicated telephone service aimed at helping smaller businesses prepare for the GDPR.

Bev Fowles, of family-owned bus company South Wales Transport, believes that most small independent operators handle little or no personal data relating to bus passengers. Cash is still the only payment method for many of them, and electronic accounting systems for concessionary travel schemes require bus operators to handle only anonymised data.

However, he says that personal data about current and past employees is also covered by the GDPR. Deleting records is not an option because the tax authorities require their retention for seven years, says Fowles.

TfL’s data protection team highlighted last year that TfL holds data on employees’ health and the results of alcohol and drugs testing, and on unsuccessful job applicants.

Davenport says: “When it comes to ensuring they process employee data lawfully, organisations should start by considering what employee data is being processed, whose data is it and why it is being processed as well as when and where it is processed. This forms the basis for working out the justification for processing it under the new regime. One of the potential justifications is that the processing is necessary for compliance with a legal obligation to which the controller is subject.”

Fowles, who is vice-chair of CPT Cymru’s bus commission, urges other small operators to take advice on how to comply. “We’ve taken advice from our HR [human resources] people,” he says, referring to South Wales Transport. “We use our insurance company, who supply that [HR] service for an extra payment each year. Not everybody has that service, but it’s worth paying for.”

Patrick Arben says that alongside investing in better data security, transport operators should explore the possibility of taking out cyber risk insurance. However, his colleague Helen Davenport says this market is a new and evolving one, with few insurers offering specific policies on cyber risk. She also questions how affordable the premiums would be, if such products do emerge.

Transport Scotland is one of the Scottish Government’s partners in a scheme to improve cyber resilience generally. “Cyber resilience plays its part in the context of GDPR,” says one Transport Scotland spokesman.

In its advice on the GDPR to data users, the Scottish Government says: “The biggest causes of data breaches can be avoided by making sure the basics are in place: educate all employees about data protection, the risk of phishing and other social engineering attacks keep all operating systems and software up to date and implement encryption for sensitive data.”

One of the key messages from experts in the field is that businesses should not collect and store any more personal data than they genuinely need. “Many organisations who suffer a data breach are found to have exacerbated the problem by retaining old redundant data for no apparent legitimate purpose,” says Davenport.

One area where vigilance is needed from TOCs and bus and coach operators is the spread of digital forms of ticketing. “Electronic methods of paying for tickets mean businesses have the opportunity to gather more personal data, which may also potentially have commercial value,” says Davenport. “However, just because data can be collected, businesses should still think carefully about whether it should be collected and, if so, how it will be handled.

“Where it is necessary to process personal data, businesses should ensure steps are taken to ensure that it is processed securely.”

Many TOCs and other businesses use their customer databases to distribute targeted marketing. The GDPR introduces new standards of consent which the organisation must obtain from each user before sending out marketing material. Davenport says these standards require consent to be specific, granular, clear, prominent, obtained through opting in, properly documented and easily withdrawn if the customer wishes to stop receiving messages.

She says compliance is likely to require organisations to obtain new consents from customers, including those who have consented in the past. “However, consent is not the only basis on which direct marketing, like other forms of processing, can be undertaken. It may be possible to conduct marketing in reliance on the data controller’s legitimate interests.

“In addition, marketing that is currently lawfully conducted on an opt-out basis under the Privacy and Electronic Communications Regulations (PECR) is unlikely to be affected by the GDPR. Given the potential risks, including fines, of getting it wrong when marketing and also when refreshing consents to do so, this is an area to which careful consideration should be given.”

Finally, the GDPR has a potential sting in the tail for transport operators, in the form of free Subject Access Requests. Under current rules, anyone who asks an organisation for details of the data held on himself or herself can be charged up to £10 per request, which recognises that responding to the request involves staffing costs.

The GDPR will make all requests free for the data subject, removing the financial deterrent to lodging multiple requests. The only exception allowed under the GDPR is where an individual makes excessive requests, such as repeated requests to the same organisation, in which case a fee can be charged.

However, Davenport says: “The burden of proving the request is manifestly unfounded or excessive is on the business, and so the most cost-effective option in many cases will be to bear the costs of responding to the request.

“The number of Subject Access Requests businesses are receiving is already on the rise under the current law, likely to be largely due to data subjects becoming increasingly aware of their data privacy rights. The removal of a fee for data subject access requests from 25 May 2018 may result in a further increase in the number of requests operators receive.”


This article appears in the latest issue of Passenger Transport.

DON’T MISS OUT – GET YOUR COPY! – click here to subscribe!