The General Data Protection Regulation entered into force on the 25th of May and was designed to harmonize data privacy laws across Europe by introducing a new standard of data protection. It is important to remember that this legal instrument has an extraterritorial effect and as such also concerns foreign companies which operate within the EU or process data of European Citizens. Beyond doubt, companies operating in the maritime industry will be affected by the GDPR as they process large volumes of personal data such as data regarding employees, business contacts, passengers, vessel crew, contractors and much more. Stricter rules and higher fees increase the risk of non-compliance, however, the most direct impact of the GDPR raises three main issues.

First and foremost, the GDPR provides a number of new rights to the European Citizens. The most fundamental one is the legal basis for data processing which is, in fact, the consent of the person whose data is to be processed. As provided in the art. 4(11), the consent per se has to be given freely, unambiguously by statement or clear affirmative action. Consent from Clients can be accepted in several ways, e.g. by written, electronic or oral consent. Importantly, the Companies have to ensure that it is as easy to withdraw the given consent as it was given in the first place. Additionally, to considering the issues relating to obtaining or withdrawing consent  to the processing of personal data one should also take into account the further individual rights granted by the GDPR:

• right to access data (art. 15)
• right to rectify data (art. 16)
• right to delete data – “right to be forgotten” (art. 17)
• right to limit processing (art. 18)
• right to transfer data (art. 20)
• right to object (art. 21)

Moreover, the GDPR sets out seven key principles that should lie at the heart of data processing:

• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality (security)
• accountability

At the moment, every company operating in the shipping industry worldwide has to comply with the GDPR’s provisions when EU Citizen’s privacy rights are in question. This will have a major impact on those companies both time-wise and money-wise.

   1. Bureaucracy and costs

The companies that wish to be compatible with the new law will be subjected to an enormous amount of formal requirements and paperwork. All relevant activities should be implemented by means of appropriate internal procedures and duly documented. For this purpose, it is recommended to prepare appropriate documentation indicating the measures taken to properly implement and apply the GDPR (such documentation may include, among others, appropriate security certificates and certifying the competence of persons having the access to personal data, guidelines for employees, reports and analyzes risk, certification of the measures used to secure ICT systems, etc.).

The art. 30(1) of the GDPR, obliges each data administrator to keep a register of personal data processing activities. Mainly, this obligation binds only those companies which have more than 250 employees. However, it may still apply to smaller companies when data processing may cause a risk of violation, is not occasional and includes specific categories of information (e.g. race, affirmation to trade unions).

When the main activity of the administrator or processor consists of processing operations which, by their nature, scope or objectives, require regular and systematic monitoring of data subjects on a large scale then the GDPR provides for the obligatory appointment of Data Protection Officer. The administrator is required by the GDPR to carry out an analysis whether it is obliged to appoint a DPO. However, even if such an obligation does not directly result from the GDPR, according to the position of the Working Group (the opinion-forming body and co-creating the content of the GDPR), appointing an inspector is strongly recommended.

The appointment of such a person gives additional security guarantees – it confirms that the relevant body has acted with due diligence as regards the protection of personal data. The art. 37(5) provides that DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices as well as the ability to fulfil the objectives of the Regulation. In other words, the GDPR requires concerned companies to create a new position and employ an expert in the field.

As you can well imagine, these necessary changes will be time-consuming and will incur unavoidable costs. According to some estimations, the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with the GDPR.1

 2. More costs

The risk of non-compliance entails potentially very high costs as the regulators will have the power to fine businesses who breach GDPR requirements up to 4% of their worldwide turnover.

In the event of violation of rights of individuals, the administrator is exposed to civil and administrative legal liability. In the scope of the first type of liability, the GDPR provides persons whose rights have been violated with the possibility, inter alia, to apply to the court demanding that the administrator refrains from violating or ordering specific behaviour or for awarding damages.

In addition, a data administrator is also exposed to administrative sanctions, taking the form of fines, i.e.

• a fine of up to 10 million euro, and in the case of a company or group of companies with a total worldwide turnover exceeding 500 million euro – up to 2% of total global turnover from the previous year;
• a fine of up to 20 million euro, and in the case of an enterprise or group of companies with a total worldwide turnover exceeding 500 million euro – up to 4% of total global turnover from the previous year.

  3. Member States are not prepared

Back in 1995 the EU already have legislated on the protection of personal data. As such, the GDPR is a legal instrument which finds its origins in the previous century. Even though, a little number of Member States were actually prepared for the GDPR. Only France, Germany, Austria, Slovakia and Sweden have implemented appropriate national legislation in order to adjust their legal systems to the GDPR.
However, it does not mean that the other countries have resigned from introducing national modifications. Majority of Member State already have a draft legislation which will have to be passed in a due time. Hence it should be emphasized that it is not recommended for the entrepreneurs to refrain from adapting to the GDPR and its policy until the adoption of the new law on the protection of personal data in their Member States. The GDPR adopts a form of a regulation – hierarchically the most important legal act of the European Union – which means that the provisions of the GDPR are directly binding and applicable and as such have a direct effect. In other words, as from May 25, 2018, the GDPR applies in full, and entities that perform the relevant activities, including the collection and processing of personal data, are forced to strictly comply with these provisions.

Overall, high-stakes call companies to make sure to be GDPR compliant and there is a high probability that most of them still aren’t.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is set to come into force in May 2018. It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The GDPR replaces the EU Data Protection Directive and applies to all member countries without the need for national legislation. After four years of discussion and amendments, the regulation officially takes effect on May 25, 2018 and places the EU at the forefront of data protection standards.

Ince & CO explains, “Shipping companies collect a great deal of personal data, including passenger information, crew and employee details, customer lists and details of business contacts. The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise. Implementing effective data protection controls into daily operating procedures is a huge challenge. However, when the EU General Data Protection Regulation and the UK’s Data Protection Act 2018 come into force on 25 May 2018, businesses ignore them at their peril, as non-compliance can result in large fines and reputational damage. There are also commercial benefits to effective compliance: companies that protect the privacy of their passengers, employees and business associates and conduct properly targeted marketing campaigns will be more likely to attract and retain business and staff.”

Lester Aldridge underlines the steps companies need to take to prepare for the GDPR, stating, “under the GDPR, there is a full list of action points for businesses to take to ensure data protection compliance. The following 5 key steps are perhaps the most important ones that should help company’s process data correctly:

1. Appoint a data protection officer to ensure compliance.
2. Implement a system internally to ensure the relevant supervisor is informed of a personal data breach within 72 hours of first becoming aware of the breach.
3. Adopt an updated data protection and privacy policy by analysing your system and practice to ensure that data is processed in accordance with the permitted legal grounds
4. Run audits and risk assessments on collected personal data and keep the individuals informed about processing their personal data.
5. Provide training to your employees and ensure that they are abreast with the correct processes and ensure that data controllers have contracts with all of their data processors.”

With large potential fines (the greater of up to 4% of global turnover or 20 million Euros), risk of claims from individuals and reputational damage, businesses need to make the necessary changes to their systems and policies now in order to be prepared when the GDPR “goes live” on 25 May 2018.

HFW states, “The GDPR will also apply to organisations established outside of the EEA if certain conditions apply, including where they monitor the behaviour of individuals within the EEA (for example, via cookies), offer goods or services to individuals within the EEA (note that if you offer goods or services to a business that business has individuals within it) or where EEA Member State law applies in accordance with international law, e.g. where a vessel is flagged with an EEA Member State registry.

Particular factors to consider when determining whether the GDPR will apply are:

• Are any of your vessels flagged within the EEA?
• Is your website directed towards customers based in the EEA, for example by giving an option to choose a “UK” setting, an EEA currency, or a particular language?.
• Can your services be bought from within the EEA?
• Do you have a registered establishment or an office in the EEA?
• Is your business currently registered with an EEA data protection authority, such as the UK’s Information Commissioner’s Office (the “ICO”)?
• Do you use servers located in the EEA?
• Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are “monitoring individuals” for the purposes of the GDPR.

If the answer to any of these questions is yes then it is likely that the GDPR applies to you.

The GDPR introduces a host of new obligations and requirements with which businesses must comply. Five key action points are as follows:

1. Conduct a data audit. Data controllers and processors alike are required to keep records of their personal data processing. Analyse your systems and practices to check what personal data you process, why, how you use them, where they are stored and whether you still need them. Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest). “Sensitive” personal data are subject to stricter rules and processing usually requires the individual’s consent. Note that “consent” is more difficult to obtain under the GDPR regime than under the UK Data Protection Act 1998 which implements the current EU data protection regime. Criminal records of employees or service providers can only be processed in accordance with specific EEA Member State laws. Document your findings and decisions.
2. Draft or amend policies and procedures. The GDPR strengthens and adds to individuals’ rights, for example it strengthens the rights to have personal data deleted or frozen, adds a new right of “data portability” where an individual can request that personal data stored electronically be transferred to a different data controller, and shortens timelines for compliance with individuals’ requests. It also imposes new obligations on all data controllers to report personal data breaches to relevant data protection authorities within 72 hours, and to report breaches to individuals concerned (if the breach is high risk) “without undue delay”. It introduces a new concept of “privacy by design”, which requires businesses to think about protecting individuals’ privacy at the very beginning of any new project and to conduct “privacy impact assessments” calculating the potential risks to individuals’ privacy rights. Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.
3. Inform individuals about your processing through fair processing notices. Individuals must be kept informed about the processing of their personal data. The GDPR increases the amount of information which must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
4. Amend or put contracts in place with data processors. The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.
5. Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.”

The UK P&I Club suggests an action plan in accordance with the GDPR stating, “In order to comply to the full scope of the GDPR, it is recommended that organisations seek legal counsel.

At a minimum, here are a few high-level action items:

• Get consent: A data controller must be able prove that consent was given by the data subject.
• Conduct a Data Protection Impact Assessment: It’s important to assess privacy risks of processing personal data of individuals.
• Where appropriate, appoint a data protection officer: This person is responsible for overseeing compliance and data protection strategies.
• Be prepared to report data breaches: Under the GDPR organisations must report a breach within 72 hours.
• Maintain records of processing: Article 30 states that controllers “shall maintain a record of processing activities under its responsibility.”

The GDPR will change the way the shipping industry handles data forever. It is something that must be taken very seriously as any violation will result in severe repercussions. Organisations that fail to comply will face significant fines—as high as four percent of the organisation’s annual revenue. Furthermore, individuals may take action against any entity that improperly handled their personal data.

Source: seanews

Why is GDPR particularly relevant to shipping?
Although GDPR will probably affect every organisation that
processes personal data, the shipping industry will be particularly
affected due to the following reasons:
• Even small shipping companies process personal data of their
crew on a daily basis. Most shipping companies keep records of
their crew members between embarkations and for some time
after the last debarkation.
• Personal data processed by shipping companies includes
personal identification documents, bank details, travel
documents, training records but also data considered to be
‘sensitive’ such as medical records.
• Shipping companies receive personal data from many sources such
as the individuals themselves, manning agents, port agents and
other third parties, in the normal course of business.
• They send personal data to many recipients such as port agents,
travel agents and P&I clubs.
• They regularly make data transfers to a large number of
jurisdictions, with particular interest in those made to countries
outside the EU, and in specific, those where certain conditions
must be met in order for the transfer to be allowable.
What should shipping companies do?
1. AWARENESS
It is crucial that shipping companies kick-start their GDPR project
with raising awareness among top management on what GDPR
requires and what the key risks for their particular organisation
are. Engaging the right people at top management level is
necessary to ensure that the organisation commits the necessary
time and resources and develops a culture that respects privacy.
2. TEAM
With the full support of management, organisations need to
assemble a multi-discipline team to run the project ensuring
risk, legal and IT are included. The appointment of a Data
Protection Officer may be required, under certain
circumstances, in which case the organisations need to
consider who that person might be. Trusted external advisors
can bring technical expertise, perspective and help save time.
3. IDENTIFICATION OF DATA PROCESSING ACTIVITIES
It is then time to identify and record the data processing activities,
ensuring that for each activity, the entire data lifecycle is captured
(from collection all the way to destruction). Data processors and
joint-controllers should also be identified at this stage.
4. GAP ANALYSIS AND COMPLIANCE PLAN
Whilst capturing the flows, organisations should look for the
weaknesses in the data flows, evaluate the resulting risk and
respond to that risk with a specific practical plan of action, so that
the risk can be mitigated to an acceptable low level. To identify
weaknesses they will also need to consider their policies and
procedures, their current compliance framework (for example ISM,
MLC etc) as well as tools and enablers, including legal documents
(forms, terms and conditions, etc) and of course the IT environment.
5. IMPLEMENTATION OF CHANGES IN POLICIES,
PROCEDURES, NOTICES, LEGAL, IT
Once the specific action plan is complete, organisations can then
proceed to the implementation phase. This would normally include
making changes in privacy policies, contracts with manning agents,
P&I clubs, information notices to port agents, staff and crew as
well as drafting appropriate consent forms. Implementation could
also include changes in manual procedures, IT security (firewalls,
encryption etc) and business continuity & disaster recovery plan.
External advisors can again help carry out various aspects of the
implementation but also assist in managing the effort.
03/2018
The European General Data Protection Regulation (GDPR) comes into full effect on 25 May 2018.
Designed to increase protection of individuals’ rights and freedoms, GDPR has strengthened
privacy rules, thus increasing the companies’ privacy obligations. Stakes are high as administrative
fines can reach Euro 20 million or 4% of an organisation’s global turnover (whichever is greater),
but the true cost in the case of a severe data breach is obviously the loss of reputation and
potential claims.
Shipping PRECISE. PROVEN. PERFORMANCE.
6. DATA BREACH READINESS
It is crucial that organisations design an Incident Report Plan to
include detailed actions that will need to take place so that, if
required, notifications can be made timely to the Supervisory
Authority (within 72 hours from detection of the data breach)
and to the data subject. The Plan should include a clear
pre-determined set of consecutive actions and a clear allocation
of responsibility for those actions as well as notification
templates, investigation requirements, reporting, media and
communications management etc. Shipping companies should
also maintain an incidents log, containing details of privacy
incidents identified and how they were followed up,
irrespective of whether they were reportable to the Authority
and/or the data subjects or not.
7. PRIVACY IMPACT ASSESSMENT
GDPR requires that companies consider the impact to data
privacy, when making important business decisions so that the
notions of privacy ‘by design’ and ‘by default’ are embedded in
new projects at the design phase. Decisions such as the
selection of a new manning agent based outside the EU, would
require a detailed assessment of the data privacy conditions
relevant to data transfers from and to the agent, in order for
the relevant considerations and potential risks to be surfaced
and mitigated appropriately at inception of the agreement. A
well thought-through privacy impact assessment can help
determine those terms and conditions that will eventually allow
the parties to transfer data securely and reliably, having
resolved accountability issues right from the start of their
contract. A well thought-through privacy impact assessment
can also expose a potentially high risk business partner.
8. TRAINING
Once the GDPR compliance plan has been fully implemented, it
is highly advisable to roll out GDPR training to all staff and
crew, highlighting any changes that were implemented
because of GDPR and the reasons thereto. Personal data such
as original travel documents as well as other records are being
held aboard the vessels so it is important that training, to the
appropriate extent is also provided to the officers on board.
9. ONGOING MONITORING
Like all companies subject to GDPR, shipping companies need to
demonstrate that they monitor their compliance on a continuous
basis, by updating their policies and procedures when needed,
training their staff and crew as well as updating their formal
documents and agreements, when these are relevant to personal
data. In addition, shipping companies should design (and
incorporate in their ongoing compliance monitoring framework)
tests of operational effectiveness for controls mitigating significant
risks associated with GDPR and data privacy in general and follow
up on the weaknesses identified.
10. FOSTERING A GOVERNANCE-DRIVEN CULTURE
No matter how many safeguards are put in place in an
organisation’s internal control environment, effective risk
mitigation will always eventually come down to how well people
understand, appreciate and implement those safeguards.
Establishing and maintaining a governance-driven culture that will
empower people to actively protect their organization creates a
much more effective shield against privacy threats, compared to a
compliance-driven approach that can prove bureaucratic.
How can shipping companies better manage GDPR
compliance cost?
Compliance costs in shipping have increased exponentially in the
past few years. GDPR does not need to be another heavy
compliance burden: By embedding the principles of privacy to the
current structures, policies and procedures that were created to
respond to various other requirements coming from regulations,
authorities or other counterparties, shipping companies can
implement GDPR – as well as other privacy projects – in a truly
risk-focused, effective and efficient way.