cyber-1654709-696x392.jpg

New technologies have led to significant changes in our daily lives. The reflections of these changes appear as new rules and laws on privacy and security. Today, both public institutions and private sector have access to various information belonging to thousands of people within the scope of the performed business. This information obtained can be processed and transmitted easily as a result of the rapid developments in information technologies.

By increasing the requirements of companies in terms of privacy and security, this transformation made digitalization inevitable. This necessity can also be seen by various organizations as a “technological restructuring” opportunity. Due to the Turkish Personal Data Protection Law (KVKK), which has been introduced in 2016, organizations that do not have enough infrastructure and knowledge in the area of privacy and security have started to focus on this area.

Personal Data Protection is directly related to the right of privacy, which is one of the fundamental human rights. Before KVKK, the rules on the Personal Data Protection were to specify with Turkish Criminal Code, Constitution and other relevant legislation. Personal Data Protection Law No. 6698 is the most important legal regulation with the most severe sanctions.

Source: verisistem

gdpr-640-small.jpg

The new European General Data Protection Regulation (Regulation (EU) 2016/679), will enter into force on the 25th of May 2018, and it is expected to affect businesses, government agencies and organisations, which collect or analyse information of European Union citizens.

The 28th of January each year is the global Personal Data Protection day, which for 2018, has a particular importance because the EU General Data Protection Regulation (“GDPR”) will come into force in May 2018. Stricter rules and higher fines increase the risks of non-compliance. Violations of the GDPR can have a severe impact on companies that handle personal information – both financially, as well as for their reputation.
Meeting GDPR is not just a compliance requirement, but can also lead to a competitive advantage by proving to be a trustworthy employer and business partner for customers.
What is personal data?

Personal data is defined as any information concerning the personal or material circumstances of a person and is associated with the data on employees, contractors and customers. This includes name, address, material conditions, such as health, or IP address.

Certain kinds of data are classified as “sensitive”. These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life.

To help the shipping industry understand and comply with the new GDPR Regulation Maritime Academy is offering a course that will assist those who have day-to-day responsibility for data handling, to implement better its provisions.

The following subjects are discussed and analysed:
Provisions and principles of the new regulation and understanding
What constitutes personal data?
Who does the GDPR affect?
What is the difference between a data processor and a data controller?
Get informed on the rights of the data subjects.
Discuss if you need to appoint a Data Processing Officer (DPO) and
What are his duties and responsibilities?
Hear how to transfer personal data to third countries
The penalties for non-compliance
Learn how to have your Privacy Notice GDPR ready
Understand how to organise an information audit to map data flows and
The use of the Data Protection Impact Assessment (DPIA)
Get informed on how to deal with and report data protection breaches and
Exercise due diligence under the GDPR
Explore other jurisdictions’ data protection laws
Get up-dated on recent famous data breaches

Source: DNV GL Maritime Academy Hellas

 


Risks-in-Maritime-Cybersecurity.jpg

With this Law, which has been regulated in consideration of international documents, Turkish Constitution, Turkish Laws, comparative law practices and the needs of our country in our age, it is aimed to protect the fundamental rights and freedoms of individuals, especially the privacy of personal life, by processing personal data in contemporary standards. In this context, the Law regulates the conditions of processing personal data, the basic principles to be adopted regarding the protection of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles they will comply with.

EU General Data Protection Regulation (GDPR)

In order to make the regulations regarding the protection of personal data in the member states of the European Union compliant, The Personal Data Processing and Free Movement Directive No. 95/46/EC was abolished in line with the new requirements regarding the protection of personal data and this regulation is put into effect in 2018. In order to ensure the data security of the residents of the European Union, the main purpose of the regulation is to provide them an effective approach to privacy and security with the reshaping of organizations in terms of compliance.

Source: cottgroup

gdpr-640-small.jpg

The General Data Protection Regulation (GDPR) is the biggest shake-up to data protection laws in Europe in over twenty years. GDPR came into force on 25 May 2018 and is designed to create a single set of requirements across Europe that give individuals more rights and control over how organisations can process and store their personal information.

At Bupa Global we take privacy and data protection seriously. Part of our vision statement is to respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that customers trust us to keep their personal information safe.

We’ve set out below a few FAQs that we have received about Bupa Global’s preparations for GDPR.

How has Bupa Global been preparing for GDPR?

We take privacy and data protection very seriously at Bupa Global. In line with our Bupa Code we respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that our customers and our people trust us to keep their personal information safe.

To make sure the business continuously improves, Bupa Global has been preparing for the GDPR for some time by running a readiness programme which brings together privacy, IT, legal and compliance expertise to review our business processes, IT and organisational controls, customer literature, and third party arrangements against the new requirements. Our preparations continue to respond to the evolving regulatory environment and the guidance we expect over the coming months from privacy regulators in Europe and beyond. We see privacy as something that goes beyond GDPR and is a part of business as usual at Bupa Global.

Although the GDPR is European legislation, the changes we are making will in some cases have effect for our customers, suppliers, partners and brokers beyond the UK and Europe.

Does GDPR apply to Bupa Global’s brokers?

It may do.

GDPR applies to data controllers and data processors and can apply to those based within the European Union and outside the European Union. The GDPR will apply to businesses established in the European Union and businesses based outside of the European Union that offer goods or services in the EU or monitor the behaviour of EU citizens, irrespective of whether the business has a presence in Europe.

Under GDPR, is Bupa Global acting as a data processor for its brokers?

Bupa Global cannot provide an absolute answer as arrangements may differ. Bupa Global provides a wide range of services to both individuals and companies. In privacy terms, Bupa Global is generally acting as a data controller when delivering these services, rather than as a data processor.

In order for Bupa Global to provide international private medical insurance services, Bupa Global determines what personal information it requires about individual members. This includes determining the personal information that is required to provide the services and how it is used (e.g. what personal information is used to price premiums and underwrite, how personal information is used to manage claims and provide benefits). When Bupa Global is making these decisions, Bupa Global is acting as a data controller.

We consider that brokers will generally also be data controllers. This is because brokers are usually making decisions about personal information they collect, the purposes for which personal information is processed and the way in which it is processed.

Brokers act as agents of the insured party. Generally, each broker determines what personal information they need to collect prior to providing such personal information to Bupa Global in order to arrange an insurance policy. The broker will retain the personal information and continue to control how it is used (e.g. to send marketing to individuals). On this basis, the broker would also be a data controller.

What does it mean if Bupa Global and a broker are each data controllers?

Under GDPR, where Bupa Global and a broker each act as data controllers, each party has responsibilities for the ways in which we collect, use, store and delete personal information. We each need to determine for ourselves how the law applies to us and what we need to do. For our brokers, this may mean that they need to make some changes to the ways in which they operate, review their current processes and consider their privacy culture.

At Bupa Global, we see compliance with GDPR as part of doing the right thing for customers, rather than just compliance with a legal obligation.

Will Bupa Global be changing its agreements with brokers?

Yes, Bupa Global will be updating our agreements with our brokers as required in order to reflect changes to privacy law under GDPR. This does not mean that all of our brokers will immediately receive new agreements, as we may already have GDPR-ready terms in place.

Will Bupa Global be updating its Privacy Notice?

Yes, we have updated our privacy notice available on our website and are updating all of our guides and other materials in line with GDPR requirements.

Will Bupa Global complete broker’s GDPR readiness questionnaires?

As Bupa Global generally acts as a data controller for the provision of our services, we will not complete questionnaires that are designed to carry out due diligence on data processors. When processing personal information as a data controller Bupa Global has direct legal obligations for compliance with relevant data protection laws as well as complying with our internal privacy standards. We recognise, however, that our customers wish to ensure that all of their service providers are committed to safeguarding information to the highest standard. We are happy to discuss specific areas of concern, and brokers should raise any such issues with their usual Bupa Global contact.

What frameworks are in place to ensure that Bupa effectively manages privacy issues?

Bupa Global’s privacy framework is built out of Bupa’s enterprise level privacy, information security and risk policies.

Bupa Global’s policy and governance structures relating to privacy are designed with the accountability principle of the GDPR in mind.

Our enterprise level policies on information risk and privacy govern the approach Bupa Global takes to ensuring that privacy issues are effectively managed within the business. Regular risk assessments are carried out, which feed into our broader risk registers and committees, ultimately reporting to the Bupa Board Risk Committee.

 

Source: bupaglobal


Mopic-680x0-c-default.jpg

The EU Network and Information Security Directive (NIS) requires maritime transport and other essential services to demonstrate that they have implemented ‘appropriate and proportionate’ cyber security measures. The NIS will come into force on 6 May 2018 and the Government has just published a consultation paper on the implementation of the NIS in the UK. The largest port or harbour authorities and maritime transport companies headquartered in the UK will be directly impacted by these new provisions and there will inevitably be a trickle-down effect on small companies that contract with those organisations. The penalties for breach of the new laws will be substantial – 4% of global turnover or £17 million, whichever is the greater. These measures will be in addition to the other new cyber laws, such as the General Data Protection Regulation (GDPR), which are about to come into effect.

Over the last 18 months, the maritime sector has worked hard to focus its response to the growing cyber risk that it undoubtedly faces. In June 2017, we saw updated cyber security guidelines from the International Maritime Organisation (IMO) Safety Committee. These guidelines are tied into the ISM Code. Although the guidelines are currently“recommendatory”, they require cyber risk to be appropriately addressed in safety management systems no later than the first annual verification of a company’s “document of compliance” after 1 January 2021.

Network and Information Security Directive (NIS)

The latest development for UK-based maritime organisations comes with the publication of a Government consultation paper on the implementation of the Network and Information Security Directive (NIS) (EU 2016/1148). This EU Directive, which was approved in 2016, requires “essential services” to develop certain standards of cyber security. The NIS leaves it to individual EU member states to decide how to implement its requirements in their own domestic law. The recent consultation paper sets out the UK’s proposals in that regard.

Maritime transport is listed as one of the “essential services” to which the NIS will apply. Not all operators in this sector, however, will be affected directly by the current proposals that are intended to apply only to the largest operations with headquarters in the UK.

In the UK context, that will mean harbour authorities and ports with annual passenger numbers greater than 10 million or with 15% of the UK’s Ro-Ro or Lo Lo traffic or that account for 10% of UK liquid bulk or 20% of UK bio-mass fuel. Under the Government proposals, the NIS will also impact “water transport companies” that handle more than 30% of freight at any UK port in scope and five million tonnes of annual freight in UK ports as a whole. They will also apply to companies with 30% of annual passenger numbers at any individual UK port in scope and more than two million passengers at all UK ports. As at September 2017, the term “water transport companies” has not been defined.

Despite these limitations on the direct application of the NIS, it seems inevitable that its adoption by large organisations will have a knock on effect on smaller companies that work with or supply those organisations. This is because contracts for the supply of goods and services to the large organisations are likely to be amended to make small organisations responsible for any malware or other breach of cyber security that may be passed up the supply chain.

In addition, the Government is proposing to retain a reserve power to include within the scope of the NIS specific operators that do not meet the thresholds set out above, but which are still considered to provide an essential service.

Failure to comply with the NIS will, it is proposed, expose companies to very significant financial penalties of up to £17 million or 4% of global turnover, whichever is the greater.

Companies will be exposed to those fines if they “fail to implement appropriate and proportionate security measures”.  These requirements are in addition to other provisions relating, for example, to GDPR.

The consultation paper does not set out in any detail the measures that the Government will expect to see implemented. Rather, the Government proposes to:

“… set out the high level security principles which will be complimented by more detailed guidance, that will be either generic or sector specific. … These principles describe the mandatory security outcomes that all operators will be required to achieve”. 

The Government’s view is that operators of essential services are responsible for managing their risks and will need to implement security measures in line with the high level principles established for the purposes of NIS, having regard to the more detailed sector-specific and generic guidance to be published by the relevant NIS competent authorities. It is clear, however, that the new rules will cover governance, risk management, asset management and supply chain issues. In addition, there will be a mandatory incident reporting regime (that will be additional to existing reporting requirements and recommendations).

The consultation closes on 30 September 2017 and the Government will issue its further directives thereafter, with the intention that the scheme should go live from May 2018.

Although NIS is an EU Directive, its implementation by the UK Government will not be affected materially by the UK’s departure from the European Union.

 

Source: incegd


1-lvakdio35CA1ZxiBLdxP4A.png

Two years to go. The International Maritime Organization (IMO) encourages ship owners and managers to have incorporated cyber risk management into ship safety by the 1st of January 2021. But what does that mean? And how to address maritime cyber risks?

Digitalization

The maritime sector is on the verge of a digital disruption. Digitalization is increasingly considered one of the key solutions to the many significant challenges the sector is facing, ranging from overcapacity, low margins, regulatory pressure, and lack of efficiency, to new digital demands from customers. Although digital transformation of the maritime sector is still in its infancy, it’s safe to assume that digitalization will have a major impact on operations and existing business models in the years to come.

But fast-moving changes do not come without risk. Industrial automation and control systems that were once isolated and deemed secure, are increasingly being connected to corporate networks and the Internet. Individual devices across enterprise Information Technology (IT) and Operational Technology (OT) networks – from smart digital equipment and tools to navigation, engines and more – will present potential new pathways to cyber attacks and incidents on vessels.

First steps towards regulation

This has driven IMO to issue the Resolution on Cyber Risk Management. The resolution “encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems” by 2021.

While that does not sound too obligatory, potential implications of inappropriate cyber risk management are obvious, as it may lead to, for example:

  • Increased (unforeseen) expenses;
  • Operational loss due to incidents;
  • Safety and personnel damage;
  • Limited competitive edge.

But potentially, consequences are more widespread. Lack of compliance with these requirements may also lead to increased insurance fees, port access denial and even detention of ships, again meaning huge financial losses for their owners.

It is expected that, though for now just a recommendation, the IMO Guidelines can become the GDPR for the maritime sector: that regulation where noncompliance potentially affects your license to operate – and that regulation that seems difficult to get a grip on.

As cyber security may not be the core business of most maritime organisations, proper guidance on efficiently incorporating cyber risk management is needed. This is where KPMG offers its global expertise on cyber security advisory and digital risk management for the maritime sector.

Addressing cyber risk

KPMG’s solutions aim at letting maritime organisations manage cyber risk in the way that is intended in, for example, the IMO Guidelines on Maritime Cyber Risk Management and the BIMCO Guidelines on Cyber Security Onboard Ships. This includes:

  • Identify: To be able to identify and manage risks and turn them into business advantages, you first need to understand your connected landscape and identify the most relevant threats and highest risks for your environment.
  • Protect: Once you understand your maritime IT and OT landscape and the impact and risks of the different systems within, you can take appropriate measures to protect it where relevant.
  • Detect: Having identified and designed the controls and measures to protect your environment, it is important to monitor them. By monitoring network traffic, logs and end-points, you can better detect cyber incidents.
  • Respond: When an incident happens, getting back to business as usual is key for your business continuity and safety. Hence, cyber response processes should be ‘second nature’ for your organization.
  • Recover: After the heat of the incident is over, and business is as usual, it is time to gain an understanding of the situation and evaluate the current security measures to prevent similar incidents in the future. At this stage you will need to answer stakeholder questions about the incident and identify lessons learned.

Sailing high wind with cyber security will enable you to harvest benefits from digitalization and reduce unnecessary costs. Today’s cyber risk posture in the maritime sector, as well as upcoming regulations, demand a strong approach towards identifying those cyber risks that matter most, and addressing them in the most cost-effective way. This asks for scalable and data-driven solutions to automatically identify and address risks.

 

Source: linkedin


cyber-1654709-696x392.jpg

Introduction

The EU General Data Protection regulation (GDPR) was approved by the EU parliament on 14 April 2016 and comes into force on 25 May 2018. This piece of legislation introduces a new data protection framework to be applied to all the EU member states. This new regime – indeed much more severe and cogent than the existing one – aims to provide a greater amount of rights on individuals in relation to their data. As a result, the amount of obligations upon the organizations with regard to storage, collection, and treatment of personal data will definitely increase. One of the key changes is certainly the consequences in case of GDPR breaches. Fines for non-compliance, in fact, may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches.

 

What is Personal Data?

Pursuant to article 4 of the GDPR, personal data means any information relating to an identified or identifiable natural person, so-called data subject. A natural person can be identified by an identifier such as a name, identification number, location data or through factors specific to social identity. Further to this, Special Category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic and medical information. Organizations are subject to additional obligations while processing these special data.

 

When does an organization “Process” Personal Data?

Processing personal data means to perform an operation related to certain personal data; for example, by using, deleting, amending or disclosing such personal data.

 

Why the Shipping Industry will be affected by the GDPR?

Shipping companies store and handle a great amount of personal data, for instance passenger information, crew member details, travel documents, training records, bank details and other information gathered in the ordinary course of business. Moreover, shipping companies are likely to share this information with third parties such as port agents and P&I clubs.

Not only shipping companies will be subject to the GDPR. Brokers, surveyors, agents, correspondents, external services providers, very often deal with personal data, sometimes also sensitive ones. For instance, a personal injury claim or a claim involving a minor; in this case, the claimant – i.e. the data subject – will enjoy the right conferred by the GDPR.

 

To whom the GDPR applies to?

The GDPR applies to people of all nationalities when their personal data is processed by an organization established in EU. Also, the GDPR applies to non-EU organizations when they process personal data of people who are based in EU.

 

What are the consequences of failing to comply with the GDPR?

Indeed, the GDPR introduces draconian punishments. Fines for non-compliance may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches. For less serious offences, fines can reach up to Euro 10 million or 2% of turnover.

Apart from pecuniary punishments, non-compliance with the GDPR might keep the faulty organization away from important business opportunities in the future. Indeed, without mentioning the reputational consequences of a data breach, the GDPR compliance might become a paramount requirement for the companies in order to take part to the EU public contract tender, or in order to contract with companies siting in EU.

 

What should an organization do?

In order to comply with the GDPR, an organization should follow these 8 practical and essential steps:

  1. Awareness: be aware that the law is changing to the GDPR. All the people of an organization must understand the impact of this new piece of legislation.
  2. Information audit: assess what personal data the organization holds, where it comes from and who it is shared with. The audit is usually conducted by a legal team or professional firms with expertise in privacy matters.
  3. Draft privacy notice: after the audit is concluded, it is possible to draft a tailor-made privacy policy according to the types of personal data that the organization process. Certain organizations are advised to draft several privacy policies, for example, one which contains specific wording where special category data is collected, another one for commercial use, and another one for HR purposes.
  4. DPO: where appropriate, appoint a Data Protection Officer (DPO). An organization is required to appoint a DPO – i.e. someone to take responsibility for data protection compliance – where carries out the regular and systematic monitoring of individuals on a large scale or, carries out the large-scale processing of special categories of data such as health records, or information about criminal conviction. A competent external DPO can bring technical expertise and help to save time.
  5. Consent: review how the organization obtains, records and manages consent. Consent must be specific, granular, clear, prominent, properly documented and easily withdrawn.
  6. Individuals’ rights: check the procedure and be sure that they cover all the rights that individuals have. According to the GDPR, individuals have the right to: be informed, access, rectification, erasure, object and restrict processing. Therefore, the organization, for instance, should be ready to react if someone asks to have their personal data delated or modified.
  7. Data Breaches: make sure that the right procedures are in place to detect, report and investigate a personal data breach, so-called Incident Report Plan. Authorities must be notified of any breach of the regulations within 72 hours of the event.
  8. Training: ensure that organization personnel is trained about the GDPR compliance. A GDPR crash course along with periodic training would be appropriate in certain circumstances.

 

Will the GDPR affect the data that a ship uses and shares?

Yes, in so far as such data is considered Personal Data pursuant to article 4 of the GDPR.

 

Is a commercial data (B/L, Data of Vessel) subject to GDPR?

No, unless commercial data includes personal data.

 

Are the GDPR fines excluded from a P&I cover?

No. However, cover for such fine would indeed requires that all the reasonable steps to avoid the breach had been taken.

 


gdpr_ready_image.2e16d0ba.fill-1600x900.jpg

The General Data Protection Regulation entered into force on the 25th of May and was designed to harmonize data privacy laws across Europe by introducing a new standard of data protection. It is important to remember that this legal instrument has an extraterritorial effect and as such also concerns foreign companies which operate within the EU or process data of European Citizens. Beyond doubt, companies operating in the maritime industry will be affected by the GDPR as they process large volumes of personal data such as data regarding employees, business contacts, passengers, vessel crew, contractors and much more. Stricter rules and higher fees increase the risk of non-compliance, however, the most direct impact of the GDPR raises three main issues.


First and foremost, the GDPR provides a number of new rights to the European Citizens. The most fundamental one is the legal basis for data processing which is, in fact, the consent of the person whose data is to be processed. As provided in the art. 4(11), the consent per se has to be given freely, unambiguously by statement or clear affirmative action. Consent from Clients can be accepted in several ways, e.g. by written, electronic or oral consent. Importantly, the Companies have to ensure that it is as easy to withdraw the given consent as it was given in the first place. Additionally, to considering the issues relating to obtaining or withdrawing consent  to the processing of personal data one should also take into account the further individual rights granted by the GDPR:

• right to access data (art. 15)
• right to rectify data (art. 16)
• right to delete data – “right to be forgotten” (art. 17)
• right to limit processing (art. 18)
• right to transfer data (art. 20)
• right to object (art. 21)

Moreover, the GDPR sets out seven key principles that should lie at the heart of data processing:

• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality (security)
• accountability

At the moment, every company operating in the shipping industry worldwide has to comply with the GDPR’s provisions when EU Citizen’s privacy rights are in question. This will have a major impact on those companies both time-wise and money-wise.

   1. Bureaucracy and costs

The companies that wish to be compatible with the new law will be subjected to an enormous amount of formal requirements and paperwork. All relevant activities should be implemented by means of appropriate internal procedures and duly documented. For this purpose, it is recommended to prepare appropriate documentation indicating the measures taken to properly implement and apply the GDPR (such documentation may include, among others, appropriate security certificates and certifying the competence of persons having the access to personal data, guidelines for employees, reports and analyzes risk, certification of the measures used to secure ICT systems, etc.).

The art. 30(1) of the GDPR, obliges each data administrator to keep a register of personal data processing activities. Mainly, this obligation binds only those companies which have more than 250 employees. However, it may still apply to smaller companies when data processing may cause a risk of violation, is not occasional and includes specific categories of information (e.g. race, affirmation to trade unions).

When the main activity of the administrator or processor consists of processing operations which, by their nature, scope or objectives, require regular and systematic monitoring of data subjects on a large scale then the GDPR provides for the obligatory appointment of Data Protection Officer. The administrator is required by the GDPR to carry out an analysis whether it is obliged to appoint a DPO. However, even if such an obligation does not directly result from the GDPR, according to the position of the Working Group (the opinion-forming body and co-creating the content of the GDPR), appointing an inspector is strongly recommended.

The appointment of such a person gives additional security guarantees – it confirms that the relevant body has acted with due diligence as regards the protection of personal data. The art. 37(5) provides that DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices as well as the ability to fulfil the objectives of the Regulation. In other words, the GDPR requires concerned companies to create a new position and employ an expert in the field.

As you can well imagine, these necessary changes will be time-consuming and will incur unavoidable costs. According to some estimations, the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with the GDPR.1

 2. More costs

The risk of non-compliance entails potentially very high costs as the regulators will have the power to fine businesses who breach GDPR requirements up to 4% of their worldwide turnover.

In the event of violation of rights of individuals, the administrator is exposed to civil and administrative legal liability. In the scope of the first type of liability, the GDPR provides persons whose rights have been violated with the possibility, inter alia, to apply to the court demanding that the administrator refrains from violating or ordering specific behaviour or for awarding damages.

In addition, a data administrator is also exposed to administrative sanctions, taking the form of fines, i.e.

• a fine of up to 10 million euro, and in the case of a company or group of companies with a total worldwide turnover exceeding 500 million euro – up to 2% of total global turnover from the previous year;
• a fine of up to 20 million euro, and in the case of an enterprise or group of companies with a total worldwide turnover exceeding 500 million euro – up to 4% of total global turnover from the previous year.

  3. Member States are not prepared

Back in 1995 the EU already have legislated on the protection of personal data. As such, the GDPR is a legal instrument which finds its origins in the previous century. Even though, a little number of Member States were actually prepared for the GDPR. Only France, Germany, Austria, Slovakia and Sweden have implemented appropriate national legislation in order to adjust their legal systems to the GDPR.
However, it does not mean that the other countries have resigned from introducing national modifications. Majority of Member State already have a draft legislation which will have to be passed in a due time. Hence it should be emphasized that it is not recommended for the entrepreneurs to refrain from adapting to the GDPR and its policy until the adoption of the new law on the protection of personal data in their Member States. The GDPR adopts a form of a regulation – hierarchically the most important legal act of the European Union – which means that the provisions of the GDPR are directly binding and applicable and as such have a direct effect. In other words, as from May 25, 2018, the GDPR applies in full, and entities that perform the relevant activities, including the collection and processing of personal data, are forced to strictly comply with these provisions.

Overall, high-stakes call companies to make sure to be GDPR compliant and there is a high probability that most of them still aren’t.


gdpr-640-small.jpg

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is set to come into force in May 2018. It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The GDPR replaces the EU Data Protection Directive and applies to all member countries without the need for national legislation. After four years of discussion and amendments, the regulation officially takes effect on May 25, 2018 and places the EU at the forefront of data protection standards.

Ince & CO explains, “Shipping companies collect a great deal of personal data, including passenger information, crew and employee details, customer lists and details of business contacts. The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise. Implementing effective data protection controls into daily operating procedures is a huge challenge. However, when the EU General Data Protection Regulation and the UK’s Data Protection Act 2018 come into force on 25 May 2018, businesses ignore them at their peril, as non-compliance can result in large fines and reputational damage. There are also commercial benefits to effective compliance: companies that protect the privacy of their passengers, employees and business associates and conduct properly targeted marketing campaigns will be more likely to attract and retain business and staff.”

Lester Aldridge underlines the steps companies need to take to prepare for the GDPR, stating, “under the GDPR, there is a full list of action points for businesses to take to ensure data protection compliance. The following 5 key steps are perhaps the most important ones that should help company’s process data correctly:

  1. Appoint a data protection officer to ensure compliance.
  2. Implement a system internally to ensure the relevant supervisor is informed of a personal data breach within 72 hours of first becoming aware of the breach.
  3. Adopt an updated data protection and privacy policy by analysing your system and practice to ensure that data is processed in accordance with the permitted legal grounds
  4. Run audits and risk assessments on collected personal data and keep the individuals informed about processing their personal data.
  5. Provide training to your employees and ensure that they are abreast with the correct processes and ensure that data controllers have contracts with all of their data processors.”

With large potential fines (the greater of up to 4% of global turnover or 20 million Euros), risk of claims from individuals and reputational damage, businesses need to make the necessary changes to their systems and policies now in order to be prepared when the GDPR “goes live” on 25 May 2018.

HFW states, “The GDPR will also apply to organisations established outside of the EEA if certain conditions apply, including where they monitor the behaviour of individuals within the EEA (for example, via cookies), offer goods or services to individuals within the EEA (note that if you offer goods or services to a business that business has individuals within it) or where EEA Member State law applies in accordance with international law, e.g. where a vessel is flagged with an EEA Member State registry.

Particular factors to consider when determining whether the GDPR will apply are:

  • Are any of your vessels flagged within the EEA?
  • Is your website directed towards customers based in the EEA, for example by giving an option to choose a “UK” setting, an EEA currency, or a particular language?.
  • Can your services be bought from within the EEA?
  • Do you have a registered establishment or an office in the EEA?
  • Is your business currently registered with an EEA data protection authority, such as the UK’s Information Commissioner’s Office (the “ICO”)?
  • Do you use servers located in the EEA?
  • Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are “monitoring individuals” for the purposes of the GDPR.

If the answer to any of these questions is yes then it is likely that the GDPR applies to you.

The GDPR introduces a host of new obligations and requirements with which businesses must comply. Five key action points are as follows:

  1. Conduct a data audit. Data controllers and processors alike are required to keep records of their personal data processing. Analyse your systems and practices to check what personal data you process, why, how you use them, where they are stored and whether you still need them. Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest). “Sensitive” personal data are subject to stricter rules and processing usually requires the individual’s consent. Note that “consent” is more difficult to obtain under the GDPR regime than under the UK Data Protection Act 1998 which implements the current EU data protection regime. Criminal records of employees or service providers can only be processed in accordance with specific EEA Member State laws. Document your findings and decisions.
  2. Draft or amend policies and procedures. The GDPR strengthens and adds to individuals’ rights, for example it strengthens the rights to have personal data deleted or frozen, adds a new right of “data portability” where an individual can request that personal data stored electronically be transferred to a different data controller, and shortens timelines for compliance with individuals’ requests. It also imposes new obligations on all data controllers to report personal data breaches to relevant data protection authorities within 72 hours, and to report breaches to individuals concerned (if the breach is high risk) “without undue delay”. It introduces a new concept of “privacy by design”, which requires businesses to think about protecting individuals’ privacy at the very beginning of any new project and to conduct “privacy impact assessments” calculating the potential risks to individuals’ privacy rights. Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.
  3. Inform individuals about your processing through fair processing notices. Individuals must be kept informed about the processing of their personal data. The GDPR increases the amount of information which must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
  4. Amend or put contracts in place with data processors. The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.
  5. Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.”

The UK P&I Club suggests an action plan in accordance with the GDPR stating, “In order to comply to the full scope of the GDPR, it is recommended that organisations seek legal counsel.

At a minimum, here are a few high-level action items:

  • Get consent: A data controller must be able prove that consent was given by the data subject.
  • Conduct a Data Protection Impact Assessment: It’s important to assess privacy risks of processing personal data of individuals.
  • Where appropriate, appoint a data protection officer: This person is responsible for overseeing compliance and data protection strategies.
  • Be prepared to report data breaches: Under the GDPR organisations must report a breach within 72 hours.
  • Maintain records of processing: Article 30 states that controllers “shall maintain a record of processing activities under its responsibility.”

The GDPR will change the way the shipping industry handles data forever. It is something that must be taken very seriously as any violation will result in severe repercussions. Organisations that fail to comply will face significant fines—as high as four percent of the organisation’s annual revenue. Furthermore, individuals may take action against any entity that improperly handled their personal data.

 

Source: seanews


gdpr-privacy-policy-1200x650.jpg

Why is GDPR particularly relevant to shipping?
Although GDPR will probably affect every organisation that
processes personal data, the shipping industry will be particularly
affected due to the following reasons:
• Even small shipping companies process personal data of their
crew on a daily basis. Most shipping companies keep records of
their crew members between embarkations and for some time
after the last debarkation.
• Personal data processed by shipping companies includes
personal identification documents, bank details, travel
documents, training records but also data considered to be
‘sensitive’ such as medical records.
• Shipping companies receive personal data from many sources such
as the individuals themselves, manning agents, port agents and
other third parties, in the normal course of business.
• They send personal data to many recipients such as port agents,
travel agents and P&I clubs.
• They regularly make data transfers to a large number of
jurisdictions, with particular interest in those made to countries
outside the EU, and in specific, those where certain conditions
must be met in order for the transfer to be allowable.
What should shipping companies do?
1. AWARENESS
It is crucial that shipping companies kick-start their GDPR project
with raising awareness among top management on what GDPR
requires and what the key risks for their particular organisation
are. Engaging the right people at top management level is
necessary to ensure that the organisation commits the necessary
time and resources and develops a culture that respects privacy.
2. TEAM
With the full support of management, organisations need to
assemble a multi-discipline team to run the project ensuring
risk, legal and IT are included. The appointment of a Data
Protection Officer may be required, under certain
circumstances, in which case the organisations need to
consider who that person might be. Trusted external advisors
can bring technical expertise, perspective and help save time.
3. IDENTIFICATION OF DATA PROCESSING ACTIVITIES
It is then time to identify and record the data processing activities,
ensuring that for each activity, the entire data lifecycle is captured
(from collection all the way to destruction). Data processors and
joint-controllers should also be identified at this stage.
4. GAP ANALYSIS AND COMPLIANCE PLAN
Whilst capturing the flows, organisations should look for the
weaknesses in the data flows, evaluate the resulting risk and
respond to that risk with a specific practical plan of action, so that
the risk can be mitigated to an acceptable low level. To identify
weaknesses they will also need to consider their policies and
procedures, their current compliance framework (for example ISM,
MLC etc) as well as tools and enablers, including legal documents
(forms, terms and conditions, etc) and of course the IT environment.
5. IMPLEMENTATION OF CHANGES IN POLICIES,
PROCEDURES, NOTICES, LEGAL, IT
Once the specific action plan is complete, organisations can then
proceed to the implementation phase. This would normally include
making changes in privacy policies, contracts with manning agents,
P&I clubs, information notices to port agents, staff and crew as
well as drafting appropriate consent forms. Implementation could
also include changes in manual procedures, IT security (firewalls,
encryption etc) and business continuity & disaster recovery plan.
External advisors can again help carry out various aspects of the
implementation but also assist in managing the effort.
03/2018
The European General Data Protection Regulation (GDPR) comes into full effect on 25 May 2018.
Designed to increase protection of individuals’ rights and freedoms, GDPR has strengthened
privacy rules, thus increasing the companies’ privacy obligations. Stakes are high as administrative
fines can reach Euro 20 million or 4% of an organisation’s global turnover (whichever is greater),
but the true cost in the case of a severe data breach is obviously the loss of reputation and
potential claims.
Shipping PRECISE. PROVEN. PERFORMANCE.
6. DATA BREACH READINESS
It is crucial that organisations design an Incident Report Plan to
include detailed actions that will need to take place so that, if
required, notifications can be made timely to the Supervisory
Authority (within 72 hours from detection of the data breach)
and to the data subject. The Plan should include a clear
pre-determined set of consecutive actions and a clear allocation
of responsibility for those actions as well as notification
templates, investigation requirements, reporting, media and
communications management etc. Shipping companies should
also maintain an incidents log, containing details of privacy
incidents identified and how they were followed up,
irrespective of whether they were reportable to the Authority
and/or the data subjects or not.
7. PRIVACY IMPACT ASSESSMENT
GDPR requires that companies consider the impact to data
privacy, when making important business decisions so that the
notions of privacy ‘by design’ and ‘by default’ are embedded in
new projects at the design phase. Decisions such as the
selection of a new manning agent based outside the EU, would
require a detailed assessment of the data privacy conditions
relevant to data transfers from and to the agent, in order for
the relevant considerations and potential risks to be surfaced
and mitigated appropriately at inception of the agreement. A
well thought-through privacy impact assessment can help
determine those terms and conditions that will eventually allow
the parties to transfer data securely and reliably, having
resolved accountability issues right from the start of their
contract. A well thought-through privacy impact assessment
can also expose a potentially high risk business partner.
8. TRAINING
Once the GDPR compliance plan has been fully implemented, it
is highly advisable to roll out GDPR training to all staff and
crew, highlighting any changes that were implemented
because of GDPR and the reasons thereto. Personal data such
as original travel documents as well as other records are being
held aboard the vessels so it is important that training, to the
appropriate extent is also provided to the officers on board.
9. ONGOING MONITORING
Like all companies subject to GDPR, shipping companies need to
demonstrate that they monitor their compliance on a continuous
basis, by updating their policies and procedures when needed,
training their staff and crew as well as updating their formal
documents and agreements, when these are relevant to personal
data. In addition, shipping companies should design (and
incorporate in their ongoing compliance monitoring framework)
tests of operational effectiveness for controls mitigating significant
risks associated with GDPR and data privacy in general and follow
up on the weaknesses identified.
10. FOSTERING A GOVERNANCE-DRIVEN CULTURE
No matter how many safeguards are put in place in an
organisation’s internal control environment, effective risk
mitigation will always eventually come down to how well people
understand, appreciate and implement those safeguards.
Establishing and maintaining a governance-driven culture that will
empower people to actively protect their organization creates a
much more effective shield against privacy threats, compared to a
compliance-driven approach that can prove bureaucratic.
How can shipping companies better manage GDPR
compliance cost?
Compliance costs in shipping have increased exponentially in the
past few years. GDPR does not need to be another heavy
compliance burden: By embedding the principles of privacy to the
current structures, policies and procedures that were created to
respond to various other requirements coming from regulations,
authorities or other counterparties, shipping companies can
implement GDPR – as well as other privacy projects – in a truly
risk-focused, effective and efficient way.

 


Twitter

@AnyawbSales - 1 year

INDIA TO BAN SINGLE USE PLASTIC ON ALL CALLING SHIPS

@AnyawbSales - 2 years

SQEXpress maritime electronic sms forms platform just released

Photo Gallery