The General Data Protection Regulation (GDPR) came into force 25th May 2018. You will undoubtedly have been bombarded with emails and communications from banks, retailers, your childcare provider, your doctor and dentist and pretty much any company or organisation you have given your details to.
In some cases, you will have been required to do nothing, the company contacting you simply telling you how your data will be used. In other cases, you will have needed to confirm your preferences, otherwise after the 25th May you would not hear from that company again (how many of you have ignored some of those emails?). I even had one company phone me to say if I did not reply to the many emails I had not replied to they wouldn’t be able to contact me with their offers. My response? That’s absolutely fine, as if I want to use your company I will contact you.
But on a day to day basis, has much actually changed? I probably receive less ‘junk’ emails, but does the new legislation leave me unable to sleep at night wondering how organisations holding my data might be using it? Absolutely not. Do I have any interest in contacting any organisation to see what data they hold, whether it is accurate, and what they may or may not be doing with it? That would be a ‘no’. Should organisations be scared to go about their daily legitimate business as a result of GDPR? No. I would hazard a guess that most people are comfortable and satisfied with how their data is being held and used by the companies and organisations they have dealings with and that once the flurry of communications stops (there are still a few emails on the subject coming in) it will be business as usual. I recently spoke with a friend who works for a large corporation in London. His team had been briefed on the impending GDPR. He came away from that meeting and said to me “Great, I now have a team who are too scared to do anything once this comes into force”. The ‘scary’ thing is that GDPR shouldn’t be scary, but the fear of data breaches with sanctions that are purely punitive in nature will make many think twice about doing something that they actually need to do. There is no doubt that data has been misused. The new Regulation attempts to give greater transparency and control to the individual who is the data subject and seeks to ensure that businesses only use the data they hold in the way they have told the individual they will use it, or in the way the individual has specified they want their data used.
Of course, it is right that the individual should own, and be in control of the personal data that is held about them. But if as an organisation you do need to use (process) that data, then you must still be brave enough to do so and tell your client/customer that you will be doing so. Where organisations are contracted to provide a service, a minimum level of data must be processed, and the organisation must be able to make contact with that client/customer where it is necessary to perform the contract, without the risk of allegations of a breach of the GDPR. Remember, the individual can ask an organisation to restrict the way that data is used. The flip side to this as the subject is that if you do so, you may not receive essential information, or there may be a delay in receiving it.
So, where does all of this fit in with the Independent Pilots Association and our members? As a membership subscription organisation, we need to hold certain minimum information about pilots. If we do not hold the information, we cannot perform the contract and provide the services our members are paying for. The union needs to be able to contact members regarding issues relevant to their airline and the aviation industry. The IPA does not give member details to third parties or undertake marketing. As an IPA member there are many benefits available to you, and some of those are only available to our members, the details of which can be found on our website (www.ipapilot.com), but we will not send marketing material to members. Post GDPR implementation we continue to only use members data for the purposes of maintaining your membership and providing the services that you pay for.
GDPR needs to be taken seriously, and those who run businesses are also subjects within their own business and any company or organisation that they do business with as an individual. It is therefore in everyone’s interests to be GDPR compliant.