Dear Association Members,

On 25^th May 2018 the European Union (EU) General Data Protection Regulation (GDPR) began to be enforced.

As BACA stores a significant amount of member data, we have been actively addressing GDPR compliance for a number of months to ensure that we do our utmost to protect the information which we hold about you, our members, together with the users of our website.

The Regulation sets out to protect the private data of EU Citizens in a way never before seen, it covers both marketing communications via electronic means and also the storage of personal information relating to that individual.  The Regulations cover all interaction with EU Citizens, no matter where in the world they are, or where in the world the company contacting them is.  As the GDPR is already enshrined in UK law, it will also continue to apply to British citizens after Brexit.

Critics believe that the Regulation has run away with itself and will impact data storage significantly, however, in practice, it seems that it is generally really an improvement to existing legislation and it does not mean that all companies will simply be being fined 4% of their global revenue if they make a mistake.  The Authorities in Europe have already indicated that they want the legislation to work and will work with companies that are in breach, to resolve problems, including by way of written warnings and sanctions, ahead of any punitive fines.

There are two important first steps; an organisational Privacy Policy that is GDPR compliant and the appointment of a Data Controller who is responsible for the management of all personal information in the company.  Further information on the legal requirements are linked at the end of this document.

To dispel the first myth, if you have a lawful basis for processing an individual’s data, such as an existing contractual or business relationship you most probably have the right to continue to hold their data and contact them, providing that you give them with the ability to remove themselves from your database at their request and are in a position to provide them with full details of the information you hold about them if they were to ask, you must provide this information promptly and without levying a charge.

If they wish to have all of their information removed from your systems, then you must anonymise and remove every piece of their data in total.  You are permitted to retain limited data which is required for legal reasons, so information such as invoicing history can be kept for the statutory required length of time.  If you believe that a client whose data you store has a “legitimate interest” in hearing from you, for example a client who has used you in the past, or whose details you have been passed from a mutual business contact, then you may decide that you wish to continue to store their information and contact them however it is a legal requirement to give them an opt-out if you do, on every communication you send.

“Cold-calling” new customers via electronic means is an area where organisations need to be careful.  The purchasing and utilisation of ‘e-mail lists’ is now almost impossible to do legally, unless you also have the approval of everyone on the list, which is obviously unlikely.  If you have a sign-up form on your website then it must specifically ask individuals to consent to receive information from you, not simply please check, but that requires a positive click by the individual – you can no longer assume that consent is given when someone fills in the form itself.  It is suggested that a “Double opt-in” is used to ensuring that individuals have understood and agree to hear from you, and to allow them to choose how and what they want to hear from you (most mailing list systems allow this).  It is a good idea to send an email to all individuals currently on your database to indicate that you hold information about them and give them an option to remove themselves or update their information.  Asking them to all sign-up again may result in a very low response  rate, so taking the route of asking existing customers to remove themselves if they wish may be more appropriate – although this should be checked for compliance with the legislation.

Charter Brokers generally find themselves the recipient of much personal information related to their clients and it is vital to secure that information in the best possible way.  Information such as passport details, dates of birth and similar could be of value outside of the transactional relationship and so protecting that information by limiting who can see it and how it is used, is vital.  Technically, each client whose information you hold, so all individual passengers, will need to give some form of positive approval for you to retain their information, this remains a grey area which organisations, including BACA, are seeking further confirmation on.  It is important to ensure that individuals whose data you store are aware of who may process it outside of your organisation (for example, operators or FBO companies) – in which case you should satisfy yourself that they provide GDPR compliant processing of that data on your behalf.

In general, GDPR is not the end of marketing communications and certainly not the end of directly contacting individuals, but it does put far more control in their hands about their own data and how it is used.  Social media marketing is becoming more relevant as a means of first contact marketing as it allows targeted, but not identifiable, canvassing opportunities, but there remain ways that clients and potential clients can be contacted in legal and compliant ways.  Below are some links to documents which are worth reviewing on how this can be achieved.

The UK ICO’s 12-step preparation plan for GDPR compliance, which is a good starting point for most companies, is available to view here:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.

The EU provides this guidance:
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.

And individual EU country regulators are available here:
http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48619

UK Information (post-Brexit) will be available from the Office of the Information Commissioner:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Further information on legitimate interest is available here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ 

Whilst we would like to be in a position to provide more specific guidance on the implementation of GDPR in your particular organisation we hope you can appreciate that to do so would significantly stretch the limited resources BACA has.  Therefore we would actively encourage you to research the Regulation at the above web addresses and take appropriate action.  What we would say is that the task initially seems daunting but it is in reality achievable once the basic requirements are understood – if the small team at BACA can achieve it, we very much hope that our Members will also be able to!

If there is something specific that you would like to ask, please don’t hesitate to contact us, however please do note we are unable to help with the detailed specifics of implementation within your organisation.

Best regards
Dave Edwards
CEO

Please note that this information is provided for general information and not as legal opinion.  It is to help companies understand the general scope of GDPR, however it should not used in any legal or contractual way and BACA would advise readers to seek legal counsel’s opinion for any specific GDPR issues.