Believe it or not, it’s still a little too early to see what impact the new regulation is having, although this is line with our expectations given the data protection regulators around Europe were inundated with reports of data breaches that still related to pre-GDPR enforcement. Only within the last few months, are we now starting to see some examples of organisations that are falling foul of post GDPR requirements, however despite this, what we do know is the shipping sector needs to be continually switched on to the requirements of GDPR given the day-to-day processing activities undertaken by shipping companies.

Processing activities include the processing of crew information, the transfer of personal information between a shipping company and third parties such as a port agents, manning agents or P&I clubs and the international exposure of data transfers resulting from these relationships.

Shipping companies should also remember personal health records are often collated and processed, triggering the GDPR requirements surrounding the processing of special categories of personal data.

The real issue that organisations in all sectors, including shipping, are coming across is the GDPR requirement surrounding ‘accountability’. Post 25 May 2018, it’s important that any organisation is fully compliant or able to provide evidence that they are actively working towards compliance to satisfy the accountability and transparency principles of the GDPR.

So as professional advisors, what are we seeing now, some ten months later?

There are still a significant number of shipping companies continuing to work towards full compliance, but very quickly we’re seeing a shift from ‘getting ready for GDPR’ to focusing on how to satisfy the accountability requirement – that is, how you will ensure your shipping company continues to comply with the regulation in future.

Article 5 of the GDPR focuses on the accountability principle. This is the part of the regulation all shipping companies must be on top of and be able to evidence, at least annually, going forward.

The responsibility of satisfying the accountability principle falls upon the assigned Data Protection Officer or, if one is not deemed necessary, the individual that has been allocated the responsibility of data protection within an organisation.

Shipping companies need to consider whether all policies, procedures and systems introduced or amended are being adhered to and whether they’re working effectively, to ensure you continue to operate within the expectations of the regulation.

This means introducing a GDPR compliance project plan that incorporates appropriate testing and verification techniques, so at the end of the year, management are able to assess what’s working well and what needs further improvement.

We’ve launched our Data Protection Officer support function service and our outsourced Data Compliance Officer function, which includes the management and running of the ongoing GDPR compliance monitoring plan, but moreover enables your shipping company to pass more of the responsibility of data protection to us as an outsourced provider.

Source: hellenicshippingnews

Introduction

The EU General Data Protection regulation (GDPR) was approved by the EU parliament on 14 April 2016 and comes into force on 25 May 2018. This piece of legislation introduces a new data protection framework to be applied to all the EU member states. This new regime – indeed much more severe and cogent than the existing one – aims to provide a greater amount of rights on individuals in relation to their data. As a result, the amount of obligations upon the organizations with regard to storage, collection, and treatment of personal data will definitely increase. One of the key changes is certainly the consequences in case of GDPR breaches. Fines for non-compliance, in fact, may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches.

What is Personal Data?

Pursuant to article 4 of the GDPR, personal data means any information relating to an identified or identifiable natural person, so-called data subject. A natural person can be identified by an identifier such as a name, identification number, location data or through factors specific to social identity. Further to this, Special Category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic and medical information. Organizations are subject to additional obligations while processing these special data.

When does an organization “Process” Personal Data?

Processing personal data means to perform an operation related to certain personal data; for example, by using, deleting, amending or disclosing such personal data.

Why the Shipping Industry will be affected by the GDPR?

Shipping companies store and handle a great amount of personal data, for instance passenger information, crew member details, travel documents, training records, bank details and other information gathered in the ordinary course of business. Moreover, shipping companies are likely to share this information with third parties such as port agents and P&I clubs.

Not only shipping companies will be subject to the GDPR. Brokers, surveyors, agents, correspondents, external services providers, very often deal with personal data, sometimes also sensitive ones. For instance, a personal injury claim or a claim involving a minor; in this case, the claimant – i.e. the data subject – will enjoy the right conferred by the GDPR.

To whom the GDPR applies to?

The GDPR applies to people of all nationalities when their personal data is processed by an organization established in EU. Also, the GDPR applies to non-EU organizations when they process personal data of people who are based in EU.

What are the consequences of failing to comply with the GDPR?

Indeed, the GDPR introduces draconian punishments. Fines for non-compliance may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches. For less serious offences, fines can reach up to Euro 10 million or 2% of turnover.

Apart from pecuniary punishments, non-compliance with the GDPR might keep the faulty organization away from important business opportunities in the future. Indeed, without mentioning the reputational consequences of a data breach, the GDPR compliance might become a paramount requirement for the companies in order to take part to the EU public contract tender, or in order to contract with companies siting in EU.

What should an organization do?

In order to comply with the GDPR, an organization should follow these 8 practical and essential steps:

1. Awareness: be aware that the law is changing to the GDPR. All the people of an organization must understand the impact of this new piece of legislation.
2. Information audit: assess what personal data the organization holds, where it comes from and who it is shared with. The audit is usually conducted by a legal team or professional firms with expertise in privacy matters.
3. Draft privacy notice: after the audit is concluded, it is possible to draft a tailor-made privacy policy according to the types of personal data that the organization process. Certain organizations are advised to draft several privacy policies, for example, one which contains specific wording where special category data is collected, another one for commercial use, and another one for HR purposes.
4. DPO: where appropriate, appoint a Data Protection Officer (DPO). An organization is required to appoint a DPO – i.e. someone to take responsibility for data protection compliance – where carries out the regular and systematic monitoring of individuals on a large scale or, carries out the large-scale processing of special categories of data such as health records, or information about criminal conviction. A competent external DPO can bring technical expertise and help to save time.
5. Consent: review how the organization obtains, records and manages consent. Consent must be specific, granular, clear, prominent, properly documented and easily withdrawn.
6. Individuals’ rights: check the procedure and be sure that they cover all the rights that individuals have. According to the GDPR, individuals have the right to: be informed, access, rectification, erasure, object and restrict processing. Therefore, the organization, for instance, should be ready to react if someone asks to have their personal data delated or modified.
7. Data Breaches: make sure that the right procedures are in place to detect, report and investigate a personal data breach, so-called Incident Report Plan. Authorities must be notified of any breach of the regulations within 72 hours of the event.
8. Training: ensure that organization personnel is trained about the GDPR compliance. A GDPR crash course along with periodic training would be appropriate in certain circumstances.

Will the GDPR affect the data that a ship uses and shares?

Yes, in so far as such data is considered Personal Data pursuant to article 4 of the GDPR.

Is a commercial data (B/L, Data of Vessel) subject to GDPR?

No, unless commercial data includes personal data.

Are the GDPR fines excluded from a P&I cover?

No. However, cover for such fine would indeed requires that all the reasonable steps to avoid the breach had been taken.

Source: macchimaggesi

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is set to come into force in May 2018. It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The GDPR replaces the EU Data Protection Directive and applies to all member countries without the need for national legislation. After four years of discussion and amendments, the regulation officially takes effect on May 25, 2018 and places the EU at the forefront of data protection standards.

Ince & CO explains, “Shipping companies collect a great deal of personal data, including passenger information, crew and employee details, customer lists and details of business contacts. The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise. Implementing effective data protection controls into daily operating procedures is a huge challenge. However, when the EU General Data Protection Regulation and the UK’s Data Protection Act 2018 come into force on 25 May 2018, businesses ignore them at their peril, as non-compliance can result in large fines and reputational damage. There are also commercial benefits to effective compliance: companies that protect the privacy of their passengers, employees and business associates and conduct properly targeted marketing campaigns will be more likely to attract and retain business and staff.”

Lester Aldridge underlines the steps companies need to take to prepare for the GDPR, stating, “under the GDPR, there is a full list of action points for businesses to take to ensure data protection compliance. The following 5 key steps are perhaps the most important ones that should help company’s process data correctly:

1. Appoint a data protection officer to ensure compliance.
2. Implement a system internally to ensure the relevant supervisor is informed of a personal data breach within 72 hours of first becoming aware of the breach.
3. Adopt an updated data protection and privacy policy by analysing your system and practice to ensure that data is processed in accordance with the permitted legal grounds
4. Run audits and risk assessments on collected personal data and keep the individuals informed about processing their personal data.
5. Provide training to your employees and ensure that they are abreast with the correct processes and ensure that data controllers have contracts with all of their data processors.”

With large potential fines (the greater of up to 4% of global turnover or 20 million Euros), risk of claims from individuals and reputational damage, businesses need to make the necessary changes to their systems and policies now in order to be prepared when the GDPR “goes live” on 25 May 2018.

HFW states, “The GDPR will also apply to organisations established outside of the EEA if certain conditions apply, including where they monitor the behaviour of individuals within the EEA (for example, via cookies), offer goods or services to individuals within the EEA (note that if you offer goods or services to a business that business has individuals within it) or where EEA Member State law applies in accordance with international law, e.g. where a vessel is flagged with an EEA Member State registry.

Particular factors to consider when determining whether the GDPR will apply are:

• Are any of your vessels flagged within the EEA?
• Is your website directed towards customers based in the EEA, for example by giving an option to choose a “UK” setting, an EEA currency, or a particular language?.
• Can your services be bought from within the EEA?
• Do you have a registered establishment or an office in the EEA?
• Is your business currently registered with an EEA data protection authority, such as the UK’s Information Commissioner’s Office (the “ICO”)?
• Do you use servers located in the EEA?
• Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are “monitoring individuals” for the purposes of the GDPR.

If the answer to any of these questions is yes then it is likely that the GDPR applies to you.

The GDPR introduces a host of new obligations and requirements with which businesses must comply. Five key action points are as follows:

1. Conduct a data audit. Data controllers and processors alike are required to keep records of their personal data processing. Analyse your systems and practices to check what personal data you process, why, how you use them, where they are stored and whether you still need them. Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest). “Sensitive” personal data are subject to stricter rules and processing usually requires the individual’s consent. Note that “consent” is more difficult to obtain under the GDPR regime than under the UK Data Protection Act 1998 which implements the current EU data protection regime. Criminal records of employees or service providers can only be processed in accordance with specific EEA Member State laws. Document your findings and decisions.
2. Draft or amend policies and procedures. The GDPR strengthens and adds to individuals’ rights, for example it strengthens the rights to have personal data deleted or frozen, adds a new right of “data portability” where an individual can request that personal data stored electronically be transferred to a different data controller, and shortens timelines for compliance with individuals’ requests. It also imposes new obligations on all data controllers to report personal data breaches to relevant data protection authorities within 72 hours, and to report breaches to individuals concerned (if the breach is high risk) “without undue delay”. It introduces a new concept of “privacy by design”, which requires businesses to think about protecting individuals’ privacy at the very beginning of any new project and to conduct “privacy impact assessments” calculating the potential risks to individuals’ privacy rights. Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.
3. Inform individuals about your processing through fair processing notices. Individuals must be kept informed about the processing of their personal data. The GDPR increases the amount of information which must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
4. Amend or put contracts in place with data processors. The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.
5. Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.”

The UK P&I Club suggests an action plan in accordance with the GDPR stating, “In order to comply to the full scope of the GDPR, it is recommended that organisations seek legal counsel.

At a minimum, here are a few high-level action items:

• Get consent: A data controller must be able prove that consent was given by the data subject.
• Conduct a Data Protection Impact Assessment: It’s important to assess privacy risks of processing personal data of individuals.
• Where appropriate, appoint a data protection officer: This person is responsible for overseeing compliance and data protection strategies.
• Be prepared to report data breaches: Under the GDPR organisations must report a breach within 72 hours.
• Maintain records of processing: Article 30 states that controllers “shall maintain a record of processing activities under its responsibility.”

The GDPR will change the way the shipping industry handles data forever. It is something that must be taken very seriously as any violation will result in severe repercussions. Organisations that fail to comply will face significant fines—as high as four percent of the organisation’s annual revenue. Furthermore, individuals may take action against any entity that improperly handled their personal data.

Source: seanews

Two years to go. The International Maritime Organization (IMO) encourages ship owners and managers to have incorporated cyber risk management into ship safety by the 1st of January 2021. But what does that mean? And how to address maritime cyber risks?

Digitalization

The maritime sector is on the verge of a digital disruption. Digitalization is increasingly considered one of the key solutions to the many significant challenges the sector is facing, ranging from overcapacity, low margins, regulatory pressure, and lack of efficiency, to new digital demands from customers. Although digital transformation of the maritime sector is still in its infancy, it’s safe to assume that digitalization will have a major impact on operations and existing business models in the years to come.

But fast-moving changes do not come without risk. Industrial automation and control systems that were once isolated and deemed secure, are increasingly being connected to corporate networks and the Internet. Individual devices across enterprise Information Technology (IT) and Operational Technology (OT) networks – from smart digital equipment and tools to navigation, engines and more – will present potential new pathways to cyber attacks and incidents on vessels.

First steps towards regulation

This has driven IMO to issue the Resolution on Cyber Risk Management. The resolution “encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems” by 2021.

While that does not sound too obligatory, potential implications of inappropriate cyber risk management are obvious, as it may lead to, for example:

• Increased (unforeseen) expenses;
• Operational loss due to incidents;
• Safety and personnel damage;
• Limited competitive edge.

But potentially, consequences are more widespread. Lack of compliance with these requirements may also lead to increased insurance fees, port access denial and even detention of ships, again meaning huge financial losses for their owners.

It is expected that, though for now just a recommendation, the IMO Guidelines can become the GDPR for the maritime sector: that regulation where noncompliance potentially affects your license to operate – and that regulation that seems difficult to get a grip on.

As cyber security may not be the core business of most maritime organisations, proper guidance on efficiently incorporating cyber risk management is needed. This is where KPMG offers its global expertise on cyber security advisory and digital risk management for the maritime sector.

Addressing cyber risk

KPMG’s solutions aim at letting maritime organisations manage cyber risk in the way that is intended in, for example, the IMO Guidelines on Maritime Cyber Risk Management and the BIMCO Guidelines on Cyber Security Onboard Ships. This includes:

• Identify: To be able to identify and manage risks and turn them into business advantages, you first need to understand your connected landscape and identify the most relevant threats and highest risks for your environment.
• Protect: Once you understand your maritime IT and OT landscape and the impact and risks of the different systems within, you can take appropriate measures to protect it where relevant.

Source: linkedin

The European General Data Protection Regulation (GDPR) entered into force on 25 May this year. While many of its provisions already applied under existing national and European data protection laws, the advent of the GDPR raised the profile of the issue and concentrated the minds of those in organisations that are now faced with the possibility of huge fines for any failure to protect adequately the personal data of their customers and employees and, most importantly, to report when a breach has occurred.

Under GDPR, companies are obligated to do three basic things: to ensure that data is held only for specific reasons and purposes; to ensure data subjects’ consent is not only freely given but as easy to withdraw as to provide, and to ensure systems for the storage and processing of data are secure.

This has led to the emergence of a whole industry of instant experts in data protection, who flooded many people’s inboxes with apocalyptic warnings of impending catastrophe and quick-fix solutions of high cost and limited results.  Quite how they compiled their distribution lists without breaching pre-existing data protection laws is not entirely clear.

One of the key issues for those in the shipping industry concerned cross-border transfers of personal data, particularly between EEA and non-EEA states. To what extent would GDPR apply to seafarers recruited from non-EEA countries?  Would it be lawful for personal data to be passed to organisations in countries outside the EEA?  These would include crewing and manning agencies, but also Port State Control and other statutory authorities and overseas ports.

The Chamber sought answers to these important questions from legal experts at law firm Hill Dickinson, who led a workshop for members at the UK Chamber last September.  Following on from this, the Chamber prepared a publication, ‘The GDPR: Guidance to Shipping Companies’, which was published by Witherby Publishing in June this year.

Following requests from members, the Chamber will host a follow-up workshop entitled ‘The GDPR – Implementation and Next Steps’ on the afternoon of Thursday 18 October. The key purposes of the workshop will be to introduce the guidelines and hear members’ experiences of bringing their data protection procedures into line with GDPR.

Hill Dickinson’s Javed Ali will take centre stage and will provide answers to some of the most important questions that members have raised concerning the GDPR. These include how transfers of personal data between data controllers and processors inside and outside the EEA should be conducted in order to be GDPR-compliant; the use of data protection clauses in contracts and charterparties, and the link between shipboard and shore-based data protection policies.

Mr Ali will also report on Hill Dickinson’s own experiences of the application of GDPR, the role that the Information Commissioner’s Office has played since 25th May and details of prosecutions for breaches of GDPR that have been brought.

Following Mr Ali’s presentation, members will have the opportunity to put their own questions to him and raise any further matters that might have come to light since the regulation’s entry into force. Suggestions for further actions by the UK Chamber will also be welcomed.

Source: ukchamberofshipping