The impact of the EU General Data Protection Regulation on the railway industry

Posted: 19 April 2017 | | No comments yet

What will the impact of the GDPR be for rail businesses and what steps should they be taking now in preparation for implementation?

The EU General Data Protection Regulation (the GDPR), which comes into force across the EU on 25 May 2018, consolidates and strengthens data protection rights for individuals. Many of the GDPR’s changes will significantly impact the railway industry – particularly TOCs.

This article considers the impact of GDPR for rail businesses and what steps they should be taking now in preparation for implementation.

Key Changes


The most eye-catching change is the introduction of maximum fines of up to 4% of an organisation’s worldwide turnover or €20 million. This is a huge increase on the current UK maximum sanctions, which are £500,000.

Legal grounds and privacy notices

Legal grounds, such as consent, are made more onerous for organisations to satisfy, and the requirements for the content of privacy notices are changed, meaning all organisations will likely need to amend their existing privacy notices and terms.


There is greater emphasis on being able to evidence compliance, including by carrying out Privacy Impact Assessments for high risk projects, keeping detailed records of consents obtained and implementing so-called ‘privacy by design’ internal processes.

Rights of data subjects

Data subjects are given new and enhanced rights including a more extensive ‘right to be forgotten’, a right of ‘portability’ (allowing for free transmission of data in commonly used formats) and strengthened rights to object to processing.

Impact of the GDPR on the railways industry

In addition to the above, the railway industry will be particularly affected in the following areas:


The GDPR expands the definition of personal data to include pseudonymised personal data (e.g. data that has been encrypted to conceal the identity of the data subject), location data and online identifiers. For TOCs, this extension of personal data may result in additional compliance obligations as data processed by them that previously fell outside the Data Protection Act now falls within the remit of the GDPR (many types of cookies, for example, will now be deemed to be personal data).


When a TOC is relying on obtaining consent to process data, the consent must be a very clear and explicit statement of consent which must be separate from other terms and conditions. Consent also must be a positive opt-in and consent should not generally be a pre-condition of signing up to a service. It is likely that most TOCs will need to amend their online terms and conditions (including those applicable to on-board WiFi services) to reflect this.

Breach notification

Organisations will need to report a personal data breach to the ICO within 72 hours and inform data subjects of a high risk breach. This is likely to require an update of the current breach procedure. With TOCs increasingly holding information of value to hackers – such as card and bank account details and journey information – security is of paramount importance and the GDPR is designed so that it will never be cheaper to suffer a breach than to secure the network.

What about Brexit?

On 25 May 2018, the GDPR will become directly effective in all member states of the EU, which is almost certain to still include the UK at that point. This means that the GDPR will be directly applicable in the UK for at least several months before it ceases to apply automatically.

After this point, the Government has indicated it is very likely that the UK will seek to retain or replicate the GDPR in national legislation. Similarly, with much of the provisions of the GDPR applying extra-territorially to organisations that do business in the EU in some form, many railway companies may find themselves in scope, either as part of an EU-owned group of companies or otherwise through international operations.

What should you be doing now?

With just over a year to implementation, you can do the following:

  • Audit what data is collected, where it is stored and the legal basis of processing
  • Review existing privacy policies and terms with data subjects as well as terms with third party data processors or other counterparties
  • Assess procedures for handling individual requests and notifying data breaches
  • Plan any changes to systems and processes that will be required to satisfy the requirements.

See also the ICO’s 12 steps to take now which contains some further tips on how to plan for the GDPR.

Related topics

Related people

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.