Privacy management at Royal Schiphol Group: Mind your step!

By Robyn Post and Danaï Giannouli

 

A different perspective
When thinking of Royal Schiphol Group (hereafter: Schiphol), this image of an impressive innovative international hub comes to mind where (up to the moment the Covid pandemic started) millions of passengers start, continue or end their journey. A company with the mission “connecting your world” and therefore a strong focus on establishing a secure, safe, efficient, sustainable, high quality and enjoyable environment for travellers and employees. Safety and security are subjects that are integrally part of the Schiphol DNA, not only from an operational perspective – but also from a privacy and data protection perspective. 

 

A common misunderstanding is that Schiphol has the same insights about a passenger departing from, transferring via or arriving at the airport. However, Schiphol does not collect the same personal data about a passenger as for example the Royal Netherlands Marechaussee, Dutch Customs, airlines and the operators of retail units and catering establishments. It is beyond question that Schiphol can’t access the personal data these stake­holders process. Therefore, a funny fact is that most of the time a passenger is (and stays) anonymous to Schiphol. There are of course exceptions, like in the situation a passenger makes use of a Schiphol service or product (for example Parking or Privium) or when Schiphol processes personal data on behalf of another partner or stake­holder.  

 

“A funny fact is that most of the time a passenger is (and stays) anonymous to Schiphol.”

 

The aviation industry, and more specifically the perspective of Schiphol, is an extraordinary and highly interesting working field, especially looking from a data privacy perspective. In this article an insight is given into the strategy and setup of the daily operations of the Schiphol Privacy Office and the internal and external collaborations that exist, especially focusing on the employment of (new) technologies. In conclusion, some experiences are shared with regard to the added value of these collaborations in light of the continuing implementation of the General Data Protection Regulation (GDPR).

 

Privacy management at Schiphol
The scope of Schiphol’s privacy organisation is broad and covers the Royal Schiphol Group N.V. and its subsidiaries, including the regional airports (Eindhoven Airport, Rotterdam The Hague Airport and Lelystad Airport). One of Schiphol’s main ambitions is to create the world’s most sustainable and high quality airport, therefore it is also of upper importance to constantly strive to provide a high level of protection to personal data. An important Schiphol statement is that passengers, customers, business partners and employees must be able to trust Schiphol when processing their personal data. 

 

As an organisation in a complex environment it is incredibly important to make sure that all the business units within the organisation are aligned and aware of the importance of data privacy. Therefore, Schiphol has created a Data Protection Organisation and structurally organizes awareness sessions for the entire staff to share information about the privacy rules, privacy policy and new developments. The Data Protection Organisation is structured according to ‘the-three-lines-of-defence-­principle’ that designates different roles such as ownership, control, advice and assurance.

 

More precisely being:

1. The first line of defence (ownership): Management of business unit
2. The second line of defence (control and advice): Privacy Office and the Data Protection Officer
3. The third line of defence (assurance): Group Internal Audit

 

For the management to be able to manage privacy risks and additionally to support the Privacy Office and the Data Protection Officer, Schiphol has created the role of the Privacy Champion. The Privacy Champions are the first points of contact for basic questions within their business unit and involve the Privacy Office when needed. Furthermore, some of the key activities are supporting management and the Data Protection Officer in demonstrating compliance (in the form of periodical key control testing), maintain the register of processing activities and being the ‘ears and eyes’ in each business unit to be involved in an early stage to ensure Privacy-­by-Design is applied. The role of the Privacy Champions is supplementary to the existing role of the employee. 

 

Privacy operations
The Privacy Office has expert legal knowledge on data privacy and the Privacy Champions can involve them when data privacy matters are too complex. The Privacy Office then supports the business units in providing advice about the proper protection of personal data. In addition, the Privacy Office maintains policies, procedures, tooling, provides awareness activities and performs Data Protection Impact Assessments (DPIA’s). Where necessary, collaboration will be sought with the Schiphol Cyber Security Centre (SCSC) in order to exploit any synergies in the area of cyber security. The SCSC determines which security measures have to be implemented in order to protect the personal data.

 

To identify any privacy risks at an early stage, the Privacy Champions and the Privacy Office conduct Privacy Risk Assessments (PRA’s). This PRA needs to be carried out for every new or changed data processing activity. A risk-­based approach is used when mitigating the identified risks. The higher the risks for the concerned data subjects, the more mitigating measures are needed to ensure privacy compliance.  

 

Internal collaborations
To run an airport, it takes a flawless operation and continuous innovations and improvements. Therefore, the daily operations are subject to fast moving developments. The organisation has many different business units in which data privacy plays an important role. The different business units all work closely together and due to the fact there are many, the Privacy Office has divided them amongst the Privacy Office. Two interesting business units are worth mentioning, being ‘Consumers’ and ‘Digital & Innovation’.

 

The business unit ‘Consumers’ creates unique experiences for travellers. They do so with a broad range of shops, catering establishments and services. For example, very interesting from a data privacy perspective are the parking and premium services they provide, such as Privium service. When joining Privium one joins a program with exclusive extras for comfort and convenience of the passenger. For example, a priority parking place, fast security and border control clearance. The business unit ‘Digital & Innovation’ uses the newest technologies to shape the future of Schiphol. By using technology and data, they make the airport ‘future-proof’ and provide an excellent (digital) customer experience for both travellers and airlines.

 

“Stakeholders could have diverse national and international (legal) obligations to comply with and for example different purposes with regard to the personal data that will be collected.”

 

A multi-stakeholder environment
Looking at the data processing activities that take place at Schiphol, it is clear that Schiphol not only initiates, but also partakes in various collaborations with external partners and stakeholders. The stakeholders Schiphol often collaborates with are for example airlines, ground handlers and national (and international) governments and bodies. The scope, purpose and goal(s) of these projects vary every time. To provide a sneak peek into this multi-stakeholder environment, two specific topics are worth highlighting due to their complexity and therefore required collaboration and alignment: border related projects (and innovations) and camera surveillance.

 

Border related projects
Schiphol owns and therefore facilitates the required physical space for the various processes and checks that need to be carried out at the airport, for example check-in, luggage handling, security, border control and boarding. Schiphol works closely together with airlines, national and international governments towards new technologies that can ensure safety and facilitate a more efficient, convenient and overall more enjoyable travel experience for the passenger. One of the technologies that is being explored is to enable travel with facial recognition. At this moment, a passenger still needs to show his or her passport, boarding card or both at the various checkpoints at the airport. It is likely that in the future the passenger will be able to pass through these checkpoints more easily due to facial recognition technology. As a result, the passport and boarding pass can stay tucked away in the bag of the passenger. Together with the aforementioned stakeholders, Schiphol is working to make this new way of travelling possible in the future. 

 

Camera surveillance
Together with several stakeholders such as the government of the Netherlands and other aviation sector parties, camera surveillance is managed at the airport and the surrounding areas. Pursuant to the Aviation Act and other legislation and regulations, Schiphol is under a statutory obligation to ensure the airport’s security in the broadest sense of the word. Furthermore, the footage recorded by the video cameras are also needed for operational purposes. Since the (footage of the) video cameras are part of a camera observation network, the multiple stakeholders work closely together to maintain public order and safety.

 

Integrated approach
While collaborating on data initiatives, data privacy and (cyber) security requirements have the outmost urgency and priority. Therefore, the business, architects, developers, privacy- and cyber security specialists from all relevant stakeholders work closely together on concepts and ideas that take all necessary requirements into account. Enabling Privacy-by-Design, asks for a very pro-active approach from all (privacy) experts involved. Especially focusing on the processing of personal data and the implementation of the requirements that follow from the GDPR, often multi-stakeholder legal working groups are established. In these sessions different concepts are discussed, challenged and assessed (with a PRA or DPIA) to see whether all privacy requirements are taken into account. 

 

“It is likely that in the future the passenger will be able to pass through these checkpoints more easily due to facial recognition technology.”

 

When (new) technologies (that process personal data) are considered and developed, testing is an integrated part of our way of working. When a concept meets a certain level of maturity, the concept will be tested to see whether the method and set-up works. Testing with anonymous data in a non-operational environment is the starting point, but especially in the field of optimizing passenger focused processes, real passenger feedback is key. Testing from a concept and operational perspective is important, but also focus on the perception and use of personal data (for example, the level of information that needs to be provided to make sure that the passenger can make a well informed decision to participate or not).Therefore, live tests or pilots and periodical evaluations are vital in our developing processes. 

 

This approach can be challenging, especially looking at the different stakeholders, perspectives, accompanying responsibilities (being data controller or data processor) and (sometimes other) interests. Furthermore, stake­holders could have diverse national and international (legal) obligations to comply with and for example different purposes with regard to the personal data that will be collected. However, looking at the GDPR requirements the baseline is identical for all stakeholders (of course with the national derivations and local implementation acts taken into account). 

 

Added value of collaborations
For all stakeholders the privacy “point of departure” is the same: the necessity and legitimacy of the data processing activities must be clear, transparency is key, purpose limitation and data minimization form the foundation of the processing activities. Among other things the necessary security and organisational measures need to be assessed and implemented in close collaboration with the (cyber) security experts. There­fore, project views and high level goals with regard to data privacy initiatives align. Stakeholders see trans­parency and trust as fundamental pillars for every product, service or process that is being developed, implemented and/or offered to the travellers. 

 

Conclusion
At Schiphol and in data initiatives that are being developed with external stakeholders, ensuring privacy compliance is the main priority. Despite working in a very complex playing field, together with all relevant parties, Schiphol establishes the necessary alignment and safeguards (on multiple organisation levels). Do note, implementing privacy requirements is not always an easy task as these norms are often quite vague and leave room for inter­pretation. You can therefore say, especially when exploring to deploy (new) technologies that process personal data, Schiphol and its stakeholders are pioneering and striving to implement privacy requirements in the best possible and most accurate way. 

 

Schiphol’s perspective is clear: the travellers’ experience and trust is key in everything that is being developed. Especially looking from a passengers’ perspective, travelling still is basically a very stressful undertaking for most people. Therefore, any new process, technology or product Schiphol develops must be tangible, feel ‘right’ privacy wise and most importantly provide an added value to the passenger.

 

In short:
• Safety and security are subjects that are integrally part of the Schiphol DNA, not only from an operational perspective – but also from a privacy and data protection perspective;
• One of Schiphol’s main ambitions is to create the world’s most sustainable and high quality airport, therefore it is also of upper importance to constantly strive to provide a high level of protection to personal data;
• Looking at the data processing activities that take place at Schiphol, it is clear that Schiphol not only initiates, but also partakes in various collaborations with external partners and stakeholders;
• In this article an insight is given into the strategy and setup of the daily operations of the Schiphol Privacy Office and the internal and external collaborations that exist, especially focusing on the employment of (new) technologies and the processing of personal data. 

 

About the authors
Robyn is a legal counsel (and experienced senior privacy officer) at the Royal Schiphol Group, specialized in privacy and data protection. Robyn’s expertise focuses on internal and external privacy management and complex data processing activities. Within Schiphol she is mainly responsible for providing privacy advice on i.a. digital and border related initiatives. 

 

Danaï is an experienced legal counsel at the Royal Schiphol Group and specialized in privacy and intellectual property. With almost six years of extensive knowledge within the aviation sector, Danaï is mainly responsible for providing advice on complex privacy and IP related matters, focusing on complex data processing activities related to i.a. consumer and safety & security related initiatives.