GDPR How does the rail industry prepare?

Author: Mike Hewitt


The countdown is on. With less than two months before the ambitious legislation comes into effect, GDPR presents potentially the biggest change in data privacy regulations for more than two decades, but how ready is the rail industry?

GDPR consolidates and strengthens data protection rights of individuals, and with millions of customers every year, the rail industry has a huge responsibility to ensure the correct protection of its customers’ personal data. From CCTV footage to email addresses, consumers share personal information every day without giving it a second thought, and all of this needs to be correctly managed by the acquired owner. 


Data protection isn’t something new – the rail industry, like every other sector, has been regulated by data protection acts since 1995 with the EU Data Protection Directive and the Data Protection Act 1998. GDPR is merely an extension of these regulations in terms of data processing, data capturing and data ownership, but all under one directive. Ultimately, if companies don’t abide by the new legislation, there is the potential for huge financial penalties, as well as the resulting costly reputational damage.


The social boom of the 20th century, from the world wide web to social media, has changed the way in which customers share data. For the rail sector, people are at the of the work done, so there’s a legal and social responsibility for businesses to protect the business itself, its employees and most importantly its customers.

The heart of GDPR is privacy by default, so the main question is how can businesses adopt this policy? How can we prepare to comply with this new ruling?


To put it simply, there’s not one solution that can tackle the new legislation – multiple components are needed to efficiently cover all bases. The Information Commissioner’s Office has put together a “12 Steps to Compliance” roadmap, which we at Panasonic Business feel is a great starting point:

1. Awareness – Raise awareness within your business regarding what GDPR is. How does it affect you?

2. Information you hold – Analyse the data you hold and create an information audit. With any data you should be aware of what it is, where it came from and you shared it with.

3. Communicate privacy information – Efficiently inform your customers about the data you are collecting. If needed, review and update your current privacy notices.

4. Individual rights – Firstly, be aware of the rights individuals hold. Secondly, check the procedures in place should there be a request to delete or provide data.

5. Access to information requests – Ensure there’s a process in place should customers request access to the information you hold. 

6. Lawful basis for data – Assess all your privacy notices and see whether the data you are requesting is necessary.

7. Consent – Review how you seek approval from customers regarding consent. This may be a case of refreshing current standards.

8. Child consent – When seeking customer data, ensure there’s a procedure in place should someone be underage – will you need parental approval?

9. Data breaches – no escaping potential threats, so how are you going to tackle data breaches? Do you have a standard protocol in place to detect, report and tackle?

10. PBD and DPIA (Privacy By Design / Data Protection Impact Assessment) – When designing a project, approach it bearing in mind privacy from the beginning and if needed, create data protection impact assessments which will help to identify the most effective way to comply with data protection obligations.

11. Data protection officers – It would be beneficial to have a data protection officer at your or at least someone who leads on this responsibility. 

12. International leads – Do you operate in more than one EU member state? Be aware of the legal rulings in different countries.


Following these steps will undoubtedly get you on the right path to complying with GDPR. The deadline is the 25th May – so just over two months left to prepare.


To find out more information, especially in relation to the rail industry, watch this webinar here: 


This blog was copied from an original post on LinkedIn, if you wish to take part in the discussion or share it please follow this link.