Whether for passenger bookings, flight schedule management or aircraft maintenance, etc., information systems are at the heart of all of Air France-KLM’s activities. For the Group, the protection of personal data, a key element in the trust accorded to the Group by its customers, is a priority focus.
Permanent benchmarking and an independent cyber ranking agency enable us to remain informed of the measures implemented by other air transport industry players and thus adapt our own processes if necessary. In December 2021, the Air France-KLM IT centers had a cyber score situated above the top end of the range for the air transport industry.
Close cooperation with the national authorities and the relevant European agencies (EASA, ENISA).
Calling on the expertise of consultants who are leaders in the cyber security market and actively collaborating with the companies connected to its information system.
Participating in working groups with the main airline associations (IATA, A4E, etc.) and contributing to the research of associations specialized in cyber security (CLUSIF, CESIN, CIGREF, etc.)
An overall awareness-raising program for all the Group’s staff with mandatory Cyber training
A regulatory compliance program which notably includes a specific level of protection and supervision for the critical systems.
A digital transformation support program to provide a simplified and secure experience for the user.
An annual presentation on these programs is made to the Group Executive Committee and to the Audit Committee of the Air France-KLM Board of Directors, guaranteeing sponsorship at the highest level. These programs are supported by a Cyber Security Governance composed of:
A cyber security regulatory framework for ground IT and onboard systems (safety policy based on the ISO27000 series of international standards and other standards or regulations applicable to Air France-KLM’s activities)
An annual monitoring plan for risks linked to the digital technologies, and testing of the cyber crisis mechanism overseen by the Operations Control Center and the Authorities
Three management committees with complementary perspectives. The Group’s IT Executive Committee notably reviews the match between the cyber risks and IT investment. The Cyber Plane Committee, chaired by the Accountable Manager, decides on the orientations to be adopted to reduce potential cyber risks to Flight Safety. Lastly, the Safety Performance Committee evaluates the effective mitigation of generic safety risks, including cyber security.
A report on the residual cybersecurity risk in the major operating risk sheets steered by Internal Control.
Since the Group is well aware that the protection of private lives and personal data is an increasingly sensitive subject, and rightly so, it places this issue at the heart of its priorities and ensures the highest level of regulatory compliance.
In 2021, in addition to strengthening the existing processes for Data Privacy governance, the management of data compliance breaches and training as part of the annual compliance program.
Implementation of the guidelines from the Group’s data protection authorities and of the recommendation of the CNIL (Commission Nationale de l’Informatique et des Libertés) relating to the “management of cookies and other tracers” on the Group’s web environments and mobile applications;
Launch of a program to deploy the new models of Standard Contractual Clauses of the European Commission and of the recommendations of the European Data Protection Board (EDPB) on personal data transfers outside the European Economic Area (following the analysis of the judgement of the Court of Justice of the European Union invalidating the Privacy Shield in the “Schrems II” case);
Support for measures imposed to manage the crisis linked to the Covid-19 pandemic, in France and internationally, and for initiatives launched in this area by the Group’s airlines.
The overall effectiveness of the Data Privacy management system is regularly evaluated thanks to a dedicated Internal Audit program. This framework has been improved and reinforced since 2019. An ex-post audit will be carried out to ensure the adequacy of the improvements made.
In 2021, in parallel with the GDPR (European General Data Protection Regulation) requests sent directly to the airlines, Air France and KLM recorded and handled a total of 13 complaints concerning personal data privacy: five from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and eight from the CNIL.
