Believe it or not, it’s still a little too early to see what impact the new regulation is having, although this is line with our expectations given the data protection regulators around Europe were inundated with reports of data breaches that still related to pre-GDPR enforcement. Only within the last few months, are we now starting to see some examples of organisations that are falling foul of post GDPR requirements, however despite this, what we do know is the shipping sector needs to be continually switched on to the requirements of GDPR given the day-to-day processing activities undertaken by shipping companies.
Processing activities include the processing of crew information, the transfer of personal information between a shipping company and third parties such as a port agents, manning agents or P&I clubs and the international exposure of data transfers resulting from these relationships.
Shipping companies should also remember personal health records are often collated and processed, triggering the GDPR requirements surrounding the processing of special categories of personal data.
The real issue that organisations in all sectors, including shipping, are coming across is the GDPR requirement surrounding ‘accountability’. Post 25 May 2018, it’s important that any organisation is fully compliant or able to provide evidence that they are actively working towards compliance to satisfy the accountability and transparency principles of the GDPR.
So as professional advisors, what are we seeing now, some ten months later?
There are still a significant number of shipping companies continuing to work towards full compliance, but very quickly we’re seeing a shift from ‘getting ready for GDPR’ to focusing on how to satisfy the accountability requirement – that is, how you will ensure your shipping company continues to comply with the regulation in future.
Article 5 of the GDPR focuses on the accountability principle. This is the part of the regulation all shipping companies must be on top of and be able to evidence, at least annually, going forward.
The responsibility of satisfying the accountability principle falls upon the assigned Data Protection Officer or, if one is not deemed necessary, the individual that has been allocated the responsibility of data protection within an organisation.
Shipping companies need to consider whether all policies, procedures and systems introduced or amended are being adhered to and whether they’re working effectively, to ensure you continue to operate within the expectations of the regulation.
This means introducing a GDPR compliance project plan that incorporates appropriate testing and verification techniques, so at the end of the year, management are able to assess what’s working well and what needs further improvement.
We’ve launched our Data Protection Officer support function service and our outsourced Data Compliance Officer function, which includes the management and running of the ongoing GDPR compliance monitoring plan, but moreover enables your shipping company to pass more of the responsibility of data protection to us as an outsourced provider.