Kyanite Blue
Compliance & Regulation

Aviation and GDPR: Passenger Data Protection and ICO Enforcement After British Airways

In October 2020, the Information Commissioner's Office fined British Airways £20 million for a data breach that exposed the personal and financial details of approximately 500,000 customers. The original proposed fine was £183 million — reduced during the COVID-19 pandemic. The breach, which ran from June to September 2018, was caused by attackers exploiting inadequate access controls and injecting malicious code into BA's booking website. The ICO's finding was unambiguous: British Airways failed to process personal data in a manner that ensured appropriate security. Every aviation operator holding passenger data faces the same legal obligations.

British Airways fined £20M by the ICO in 2020 for a breach exposing 500,000 customers' data — reduced from an original proposed fine of £183M.

UK GDPR Obligations for Aviation Operators

Airlines, airports, and aviation service providers are significant data controllers — holding passenger names, passport details, payment card information, travel history, and in some cases biometric data. Under UK GDPR and the Data Protection Act 2018, these organisations must:

  • Process passenger personal data lawfully, fairly, and transparently
  • Implement appropriate technical and organisational security measures (Article 5(1)(f) and Article 32)
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing — biometrics, profiling, large-scale surveillance
  • Report personal data breaches to the ICO within 72 hours of becoming aware
  • Notify affected individuals without undue delay where the breach is likely to result in high risk
  • Appoint a Data Protection Officer where required (large-scale systematic monitoring or sensitive data processing)
  • Ensure third-party processors have adequate contractual data protection obligations

Lessons from the British Airways ICO Enforcement

The ICO's investigation into British Airways revealed multiple security failures: inadequate access controls allowed attackers to move laterally through BA's network; the booking system lacked security controls that would have prevented or detected the injection of malicious code; there was insufficient monitoring to detect the breach promptly. The ICO found that BA had failed to implement appropriate technical measures — basic controls that were available and should have been in place. The £20 million fine, even reduced from £183 million, remains the largest aviation-related data protection penalty in UK history.

Passenger Data Security Controls Aviation Operators Must Implement

Following the BA enforcement and ICO guidance on appropriate technical measures, aviation operators holding passenger data should have in place:

  • Multi-factor authentication on all systems with access to passenger personal data
  • Network segmentation separating booking/reservation systems from operational IT and the internet
  • Web application firewall (WAF) protecting customer-facing booking portals
  • Security monitoring and alerting on systems processing passenger payment and identity data
  • Regular penetration testing of booking and reservation platforms
  • Documented third-party processor due diligence — global distribution systems, payment processors, baggage handlers
  • A tested data breach response plan with ICO notification procedures

PNR Data and Counter-Terrorism Obligations

Airlines operating into or out of the UK and EU must also comply with Passenger Name Record (PNR) data transfer obligations — providing advance passenger information to border agencies and law enforcement. PNR data transfers must comply with GDPR data transfer safeguards where applicable. The retention and security of PNR data, which includes detailed travel itinerary, payment, and contact information, creates additional data controller obligations beyond standard passenger booking data.

Frequently Asked Questions

What passenger data do airlines need to protect under GDPR?

Airlines are typically data controllers for: passenger names, passport and identity document details, date of birth, nationality, contact information (email, phone), payment card data, travel history and booking preferences, frequent flyer account data, special assistance requirements (which may constitute special category health data), and in some cases biometric data (facial recognition boarding). Each category has different risk profiles and some — particularly health data and biometrics — trigger higher GDPR obligations including mandatory DPIAs.

What must an airline do when it discovers a data breach?

Under UK GDPR Article 33, airlines must notify the ICO within 72 hours of becoming aware of a personal data breach — even if the full extent of the breach is not yet known. If the breach is likely to result in high risk to individuals (e.g., financial data or identity documents exposed), airlines must also notify affected passengers without undue delay under Article 34. Internal breach response procedures should include immediate containment, forensic preservation, assessment of scope, regulatory notification, and communications management.

Do airport operators face the same GDPR obligations as airlines?

Yes. Airport operators are significant data controllers in their own right — holding passenger biometric data (facial recognition, fingerprints used for boarding), CCTV footage, security screening records, retail transaction data, and operational data about individuals passing through their facilities. Each processing activity must have a lawful basis, and appropriate technical and organisational security measures must be in place.

Get a passenger data GDPR assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides