Leading Airliner

Client

For an airline serving millions of passengers annually, it processes vast amounts of personal identifiable information (PII) including passenger details, frequent flyer information, booking history, payment data and travel preferences.

Following the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, it faced significant compliance challenges. The regulation grants individuals specific rights regarding their personal data, including the right to access (data subject access requests or DSARs) and the right to be forgotten (data erasure requests).

The airline’s data architecture had evolved over decades, resulting in customer information being distributed across numerous disparate databases and systems throughout the organization. This fragmented data landscape included reservation systems, loyalty programs, customer service platforms, marketing databases and operational systems—each storing overlapping but distinct sets of customer information.

Challenges

It’s fragmented data architecture created severe operational bottlenecks when handling GDPR compliance requests:

• Resource-Intensive Data Discovery: When customers requested access to their personal data or asked for data deletion, employees had to manually search through dozens of separate databases and systems to locate all relevant information.
• Excessive Response Times: The manual data discovery and compilation process took weeks to complete for a single customer request, far exceeding the 30-day response window recommended under GDPR.
• Inconsistent Data Handling: Without a standardized process, different teams handled data requests differently, creating compliance risks and inconsistent customer experiences.
• Limited Auditability: The manual process made it difficult to maintain comprehensive audit trails of who accessed what data, when and for what purpose — a critical requirement for GDPR compliance.
• Operational Overhead: Dedicated staff had to be assigned to handle GDPR requests, diverting valuable human resources from core business activities.
• Scalability Concerns: As customer awareness of GDPR rights increased, the volume of requests was expected to grow, threatening to overwhelm the already strained manual processes.

These challenges not only created compliance risks but also impacted operational efficiency and customer satisfaction, as response delays and inconsistencies reflected poorly on the airline’s service quality.

Our Solutions

To address these challenges, a comprehensive solution was designed and implemented on Google Cloud Platform (GCP) with the following key components:

• Centralized PII Database: Developed a purpose-built central repository specifically designed to store and manage all personal identifiable information across the organization. This database became the single source of truth for customer PII data.
• Data Integration Framework: Created a robust ETL (Extract, Transform, Load) pipeline that regularly synchronized data from all legacy systems into the central PII database, ensuring comprehensive data coverage while maintaining data integrity.
• Automated Request Processing System: Built an automated workflow engine that could instantly query the centralized database upon receiving a GDPR request, compiling comprehensive customer data reports or executing deletion requests across all connected systems.
• Advanced Security Controls: Implemented stringent access controls, encryption and security measures to protect the sensitive data stored in the central repository.
• Comprehensive Audit Logging: Developed a detailed audit logging system that recorded every interaction with the PII database, including who accessed what data, when it was accessed and the specific business purpose for the access.
• High-Performance Architecture: Engineered the solution to handle high throughput, scaling to process up to 10,000 requests per second, ensuring the system could manage peak loads and future growth.
• Self-Service Portal: Created a user-friendly interface for both customers to submit requests and for authorized employees to process them, with appropriate authentication and verification mechanisms.

The solution leveraged GCP’s scalable infrastructure, including Cloud Spanner for the database, Pub/Sub for event handling, Cloud Functions for processing and Stackdriver for monitoring and logging - creating a robust, secure and highly available system.

The Results

The implementation of the centralized GDPR compliance system delivered transformative results:

• Dramatic Efficiency Improvement: The time required to process GDPR requests was reduced from weeks to minutes, representing a reduction of approximately 99% in processing time.
• Resource Optimization: Staff previously dedicated to manual data searches were reallocated to more strategic activities, resulting in significant operational cost savings and improved employee satisfaction.
• Enhanced Compliance Posture: The comprehensive audit logging and consistent processing approach substantially reduced compliance risks and improved the airline’s overall GDPR posture.
• Improved Customer Experience: Faster response times to data requests enhanced customer satisfaction and reinforced the airline’s reputation for customer service excellence.
• Scalable Solution: The system’s ability to handle 10,000 requests per second ensured that they could easily manage increasing volumes of GDPR requests without additional resource allocation.
• Better Data Governance: The project catalyzed improved data management practices across the organization, providing better visibility into data storage and usage patterns.
• Cost Efficiency: Despite the initial investment in building the system, the long-term operational savings and risk reduction delivered a strong return on investment.