The General Data Protection Regulation (GDPR) is the biggest shake-up to data protection laws in Europe in over twenty years. GDPR came into force on 25 May 2018 and is designed to create a single set of requirements across Europe that give individuals more rights and control over how organisations can process and store their personal information.

At Bupa Global we take privacy and data protection seriously. Part of our vision statement is to respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that customers trust us to keep their personal information safe.

We’ve set out below a few FAQs that we have received about Bupa Global’s preparations for GDPR.

How has Bupa Global been preparing for GDPR?

We take privacy and data protection very seriously at Bupa Global. In line with our Bupa Code we respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that our customers and our people trust us to keep their personal information safe.

To make sure the business continuously improves, Bupa Global has been preparing for the GDPR for some time by running a readiness programme which brings together privacy, IT, legal and compliance expertise to review our business processes, IT and organisational controls, customer literature, and third party arrangements against the new requirements. Our preparations continue to respond to the evolving regulatory environment and the guidance we expect over the coming months from privacy regulators in Europe and beyond. We see privacy as something that goes beyond GDPR and is a part of business as usual at Bupa Global.

Although the GDPR is European legislation, the changes we are making will in some cases have effect for our customers, suppliers, partners and brokers beyond the UK and Europe.

Does GDPR apply to Bupa Global’s brokers?

It may do.

GDPR applies to data controllers and data processors and can apply to those based within the European Union and outside the European Union. The GDPR will apply to businesses established in the European Union and businesses based outside of the European Union that offer goods or services in the EU or monitor the behaviour of EU citizens, irrespective of whether the business has a presence in Europe.

Under GDPR, is Bupa Global acting as a data processor for its brokers?

Bupa Global cannot provide an absolute answer as arrangements may differ. Bupa Global provides a wide range of services to both individuals and companies. In privacy terms, Bupa Global is generally acting as a data controller when delivering these services, rather than as a data processor.

In order for Bupa Global to provide international private medical insurance services, Bupa Global determines what personal information it requires about individual members. This includes determining the personal information that is required to provide the services and how it is used (e.g. what personal information is used to price premiums and underwrite, how personal information is used to manage claims and provide benefits). When Bupa Global is making these decisions, Bupa Global is acting as a data controller.

We consider that brokers will generally also be data controllers. This is because brokers are usually making decisions about personal information they collect, the purposes for which personal information is processed and the way in which it is processed.

Brokers act as agents of the insured party. Generally, each broker determines what personal information they need to collect prior to providing such personal information to Bupa Global in order to arrange an insurance policy. The broker will retain the personal information and continue to control how it is used (e.g. to send marketing to individuals). On this basis, the broker would also be a data controller.

What does it mean if Bupa Global and a broker are each data controllers?

Under GDPR, where Bupa Global and a broker each act as data controllers, each party has responsibilities for the ways in which we collect, use, store and delete personal information. We each need to determine for ourselves how the law applies to us and what we need to do. For our brokers, this may mean that they need to make some changes to the ways in which they operate, review their current processes and consider their privacy culture.

At Bupa Global, we see compliance with GDPR as part of doing the right thing for customers, rather than just compliance with a legal obligation.

Will Bupa Global be changing its agreements with brokers?

Yes, Bupa Global will be updating our agreements with our brokers as required in order to reflect changes to privacy law under GDPR. This does not mean that all of our brokers will immediately receive new agreements, as we may already have GDPR-ready terms in place.

Will Bupa Global be updating its Privacy Notice?

Yes, we have updated our privacy notice available on our website and are updating all of our guides and other materials in line with GDPR requirements.

Will Bupa Global complete broker’s GDPR readiness questionnaires?

As Bupa Global generally acts as a data controller for the provision of our services, we will not complete questionnaires that are designed to carry out due diligence on data processors. When processing personal information as a data controller Bupa Global has direct legal obligations for compliance with relevant data protection laws as well as complying with our internal privacy standards. We recognise, however, that our customers wish to ensure that all of their service providers are committed to safeguarding information to the highest standard. We are happy to discuss specific areas of concern, and brokers should raise any such issues with their usual Bupa Global contact.

What frameworks are in place to ensure that Bupa effectively manages privacy issues?

Bupa Global’s privacy framework is built out of Bupa’s enterprise level privacy, information security and risk policies.

Bupa Global’s policy and governance structures relating to privacy are designed with the accountability principle of the GDPR in mind.

Our enterprise level policies on information risk and privacy govern the approach Bupa Global takes to ensuring that privacy issues are effectively managed within the business. Regular risk assessments are carried out, which feed into our broader risk registers and committees, ultimately reporting to the Bupa Board Risk Committee.

Source: bupaglobal

The EU Network and Information Security Directive (NIS) requires maritime transport and other essential services to demonstrate that they have implemented ‘appropriate and proportionate’ cyber security measures. The NIS will come into force on 6 May 2018 and the Government has just published a consultation paper on the implementation of the NIS in the UK. The largest port or harbour authorities and maritime transport companies headquartered in the UK will be directly impacted by these new provisions and there will inevitably be a trickle-down effect on small companies that contract with those organisations. The penalties for breach of the new laws will be substantial – 4% of global turnover or £17 million, whichever is the greater. These measures will be in addition to the other new cyber laws, such as the General Data Protection Regulation (GDPR), which are about to come into effect.

Over the last 18 months, the maritime sector has worked hard to focus its response to the growing cyber risk that it undoubtedly faces. In June 2017, we saw updated cyber security guidelines from the International Maritime Organisation (IMO) Safety Committee. These guidelines are tied into the ISM Code. Although the guidelines are currently“recommendatory”, they require cyber risk to be appropriately addressed in safety management systems no later than the first annual verification of a company’s “document of compliance” after 1 January 2021.

Network and Information Security Directive (NIS)

The latest development for UK-based maritime organisations comes with the publication of a Government consultation paper on the implementation of the Network and Information Security Directive (NIS) (EU 2016/1148). This EU Directive, which was approved in 2016, requires “essential services” to develop certain standards of cyber security. The NIS leaves it to individual EU member states to decide how to implement its requirements in their own domestic law. The recent consultation paper sets out the UK’s proposals in that regard.

Maritime transport is listed as one of the “essential services” to which the NIS will apply. Not all operators in this sector, however, will be affected directly by the current proposals that are intended to apply only to the largest operations with headquarters in the UK.

In the UK context, that will mean harbour authorities and ports with annual passenger numbers greater than 10 million or with 15% of the UK’s Ro-Ro or Lo Lo traffic or that account for 10% of UK liquid bulk or 20% of UK bio-mass fuel. Under the Government proposals, the NIS will also impact “water transport companies” that handle more than 30% of freight at any UK port in scope and five million tonnes of annual freight in UK ports as a whole. They will also apply to companies with 30% of annual passenger numbers at any individual UK port in scope and more than two million passengers at all UK ports. As at September 2017, the term “water transport companies” has not been defined.

Despite these limitations on the direct application of the NIS, it seems inevitable that its adoption by large organisations will have a knock on effect on smaller companies that work with or supply those organisations. This is because contracts for the supply of goods and services to the large organisations are likely to be amended to make small organisations responsible for any malware or other breach of cyber security that may be passed up the supply chain.

In addition, the Government is proposing to retain a reserve power to include within the scope of the NIS specific operators that do not meet the thresholds set out above, but which are still considered to provide an essential service.

Failure to comply with the NIS will, it is proposed, expose companies to very significant financial penalties of up to £17 million or 4% of global turnover, whichever is the greater.

Companies will be exposed to those fines if they “fail to implement appropriate and proportionate security measures”.  These requirements are in addition to other provisions relating, for example, to GDPR.

The consultation paper does not set out in any detail the measures that the Government will expect to see implemented. Rather, the Government proposes to:

“… set out the high level security principles which will be complimented by more detailed guidance, that will be either generic or sector specific. … These principles describe the mandatory security outcomes that all operators will be required to achieve”. 

The Government’s view is that operators of essential services are responsible for managing their risks and will need to implement security measures in line with the high level principles established for the purposes of NIS, having regard to the more detailed sector-specific and generic guidance to be published by the relevant NIS competent authorities. It is clear, however, that the new rules will cover governance, risk management, asset management and supply chain issues. In addition, there will be a mandatory incident reporting regime (that will be additional to existing reporting requirements and recommendations).

The consultation closes on 30 September 2017 and the Government will issue its further directives thereafter, with the intention that the scheme should go live from May 2018.

Although NIS is an EU Directive, its implementation by the UK Government will not be affected materially by the UK’s departure from the European Union.

Source: incegd

Two years to go. The International Maritime Organization (IMO) encourages ship owners and managers to have incorporated cyber risk management into ship safety by the 1st of January 2021. But what does that mean? And how to address maritime cyber risks?

Digitalization

The maritime sector is on the verge of a digital disruption. Digitalization is increasingly considered one of the key solutions to the many significant challenges the sector is facing, ranging from overcapacity, low margins, regulatory pressure, and lack of efficiency, to new digital demands from customers. Although digital transformation of the maritime sector is still in its infancy, it’s safe to assume that digitalization will have a major impact on operations and existing business models in the years to come.

But fast-moving changes do not come without risk. Industrial automation and control systems that were once isolated and deemed secure, are increasingly being connected to corporate networks and the Internet. Individual devices across enterprise Information Technology (IT) and Operational Technology (OT) networks – from smart digital equipment and tools to navigation, engines and more – will present potential new pathways to cyber attacks and incidents on vessels.

First steps towards regulation

This has driven IMO to issue the Resolution on Cyber Risk Management. The resolution “encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems” by 2021.

While that does not sound too obligatory, potential implications of inappropriate cyber risk management are obvious, as it may lead to, for example:

• Increased (unforeseen) expenses;
• Operational loss due to incidents;
• Safety and personnel damage;
• Limited competitive edge.

But potentially, consequences are more widespread. Lack of compliance with these requirements may also lead to increased insurance fees, port access denial and even detention of ships, again meaning huge financial losses for their owners.

It is expected that, though for now just a recommendation, the IMO Guidelines can become the GDPR for the maritime sector: that regulation where noncompliance potentially affects your license to operate – and that regulation that seems difficult to get a grip on.

As cyber security may not be the core business of most maritime organisations, proper guidance on efficiently incorporating cyber risk management is needed. This is where KPMG offers its global expertise on cyber security advisory and digital risk management for the maritime sector.

Addressing cyber risk

KPMG’s solutions aim at letting maritime organisations manage cyber risk in the way that is intended in, for example, the IMO Guidelines on Maritime Cyber Risk Management and the BIMCO Guidelines on Cyber Security Onboard Ships. This includes:

• Identify: To be able to identify and manage risks and turn them into business advantages, you first need to understand your connected landscape and identify the most relevant threats and highest risks for your environment.
• Protect: Once you understand your maritime IT and OT landscape and the impact and risks of the different systems within, you can take appropriate measures to protect it where relevant.
• Detect: Having identified and designed the controls and measures to protect your environment, it is important to monitor them. By monitoring network traffic, logs and end-points, you can better detect cyber incidents.
• Respond: When an incident happens, getting back to business as usual is key for your business continuity and safety. Hence, cyber response processes should be ‘second nature’ for your organization.
• Recover: After the heat of the incident is over, and business is as usual, it is time to gain an understanding of the situation and evaluate the current security measures to prevent similar incidents in the future. At this stage you will need to answer stakeholder questions about the incident and identify lessons learned.

Sailing high wind with cyber security will enable you to harvest benefits from digitalization and reduce unnecessary costs. Today’s cyber risk posture in the maritime sector, as well as upcoming regulations, demand a strong approach towards identifying those cyber risks that matter most, and addressing them in the most cost-effective way. This asks for scalable and data-driven solutions to automatically identify and address risks.

Source: linkedin

Introduction

The EU General Data Protection regulation (GDPR) was approved by the EU parliament on 14 April 2016 and comes into force on 25 May 2018. This piece of legislation introduces a new data protection framework to be applied to all the EU member states. This new regime – indeed much more severe and cogent than the existing one – aims to provide a greater amount of rights on individuals in relation to their data. As a result, the amount of obligations upon the organizations with regard to storage, collection, and treatment of personal data will definitely increase. One of the key changes is certainly the consequences in case of GDPR breaches. Fines for non-compliance, in fact, may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches.

What is Personal Data?

Pursuant to article 4 of the GDPR, personal data means any information relating to an identified or identifiable natural person, so-called data subject. A natural person can be identified by an identifier such as a name, identification number, location data or through factors specific to social identity. Further to this, Special Category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic and medical information. Organizations are subject to additional obligations while processing these special data.

When does an organization “Process” Personal Data?

Processing personal data means to perform an operation related to certain personal data; for example, by using, deleting, amending or disclosing such personal data.

Why the Shipping Industry will be affected by the GDPR?

Shipping companies store and handle a great amount of personal data, for instance passenger information, crew member details, travel documents, training records, bank details and other information gathered in the ordinary course of business. Moreover, shipping companies are likely to share this information with third parties such as port agents and P&I clubs.

Not only shipping companies will be subject to the GDPR. Brokers, surveyors, agents, correspondents, external services providers, very often deal with personal data, sometimes also sensitive ones. For instance, a personal injury claim or a claim involving a minor; in this case, the claimant – i.e. the data subject – will enjoy the right conferred by the GDPR.

To whom the GDPR applies to?

The GDPR applies to people of all nationalities when their personal data is processed by an organization established in EU. Also, the GDPR applies to non-EU organizations when they process personal data of people who are based in EU.

What are the consequences of failing to comply with the GDPR?

Indeed, the GDPR introduces draconian punishments. Fines for non-compliance may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches. For less serious offences, fines can reach up to Euro 10 million or 2% of turnover.

Apart from pecuniary punishments, non-compliance with the GDPR might keep the faulty organization away from important business opportunities in the future. Indeed, without mentioning the reputational consequences of a data breach, the GDPR compliance might become a paramount requirement for the companies in order to take part to the EU public contract tender, or in order to contract with companies siting in EU.

What should an organization do?

In order to comply with the GDPR, an organization should follow these 8 practical and essential steps:

1. Awareness: be aware that the law is changing to the GDPR. All the people of an organization must understand the impact of this new piece of legislation.
2. Information audit: assess what personal data the organization holds, where it comes from and who it is shared with. The audit is usually conducted by a legal team or professional firms with expertise in privacy matters.
3. Draft privacy notice: after the audit is concluded, it is possible to draft a tailor-made privacy policy according to the types of personal data that the organization process. Certain organizations are advised to draft several privacy policies, for example, one which contains specific wording where special category data is collected, another one for commercial use, and another one for HR purposes.
4. DPO: where appropriate, appoint a Data Protection Officer (DPO). An organization is required to appoint a DPO – i.e. someone to take responsibility for data protection compliance – where carries out the regular and systematic monitoring of individuals on a large scale or, carries out the large-scale processing of special categories of data such as health records, or information about criminal conviction. A competent external DPO can bring technical expertise and help to save time.
5. Consent: review how the organization obtains, records and manages consent. Consent must be specific, granular, clear, prominent, properly documented and easily withdrawn.
6. Individuals’ rights: check the procedure and be sure that they cover all the rights that individuals have. According to the GDPR, individuals have the right to: be informed, access, rectification, erasure, object and restrict processing. Therefore, the organization, for instance, should be ready to react if someone asks to have their personal data delated or modified.
7. Data Breaches: make sure that the right procedures are in place to detect, report and investigate a personal data breach, so-called Incident Report Plan. Authorities must be notified of any breach of the regulations within 72 hours of the event.
8. Training: ensure that organization personnel is trained about the GDPR compliance. A GDPR crash course along with periodic training would be appropriate in certain circumstances.

Will the GDPR affect the data that a ship uses and shares?

Yes, in so far as such data is considered Personal Data pursuant to article 4 of the GDPR.

Is a commercial data (B/L, Data of Vessel) subject to GDPR?

No, unless commercial data includes personal data.

Are the GDPR fines excluded from a P&I cover?

No. However, cover for such fine would indeed requires that all the reasonable steps to avoid the breach had been taken.