The new software provides a .NET framework, optionally with source code, that can be used as the starting point for a custom ship-based application, providing display of primary radar, radar tracks, electronic navigational charts (S-57/S-63), secondary transponder information, such as AIS and ADS-B, and NMEA navigation data.

The MDF software can receive radar video from a variety of maritime radar sensors including Furuno, Hensoldt, JRC, Koden, Raymarine, Raytheon, Simrad, Sperry and Terma, with control of the radar supported for certain models.

The MDF software supports many display capabilities required in an ARPA display, including bearing lines, range markers, trails and closest point of approach (CPA) and time to CPA (TCPA). Additionally, camera video is supported for situations where a customer requires an integrated radar and camera display for security against piracy and smugglers.

David Johnson, CEO, Cambridge Pixel, said: “Using the MDF framework application with source code, developers can significantly accelerate the time to develop a customer application. The software offers a fully-functional out-of-the-box display application in a development environment so that customised displays can easily be created.”

A marine radar with automatic radar plotting aid (ARPA) capability can create tracks using radar contacts. The system can calculate the tracked object’s course, speed and CPA, thereby knowing if there is a danger of collision with the other ship or landmass. Marine radars with ARPA are used on numerous commercial vessels including cargo ships, passenger ferries, trawlers, superyachts and tankers.

“Our MDF software application provides maritime integrators with a working solution from day one and gives them the freedom to add the bells and whistles later,” said David Johnson. “So rather than a developer starting from scratch with a low-level library of modules we provide those building blocks as a pre-packaged application to fast-track development.”

“This is attractive to new entrants to the ARPA display console market and for software developers who may be looking for a better pedigree of standard modules for their application and who want to focus their software development efforts on customisation.”

The MDF software is compatible with Cambridge Pixel’s radar processing products, such as SPx Server for target tracking and SPx Fusion. A complete ship-based radar processing solution can be provided using standard server applications for radar processing and a customised MDF client application.

The Maritime Display Framework is written in the C# language and is designed for development of a Windows WPF-based client application.

Cambridge Pixel’s Maritime Display Framework is part of a family of radar acquisition and processing components and applications that provide system integrators with a powerful toolkit to build server and client display systems. The company’s world-leading SPx suite of software libraries and applications provides highly flexible, ready-to-run software products or ‘modules-of-expertise’ for radar scan conversion, visualisation, radar video distribution, target tracking, sensor fusion, plot extraction and clutter processing.

Cambridge Pixel’s radar technology is used in naval, air traffic control, vessel traffic, Electronic Chart Display and Information Systems (ECDIS), commercial shipping, security, surveillance and airborne radar applications.

Source: prnewswire

On the 25th May 2018, the EU GDPR came into force. This significant legislation, described by some as the “biggest single shake up of data legislation in the last 25 years,” has wide reaching impacts for all Maritime organisations who collect, manage, process and store personally identifiable and personal sensitive data for EU citizens – anywhere in the world .

Our new, NCSC Certified e-Learning course offers organisations an accessible and comprehensive method of raising GDPR awareness across all users of the business quickly.

Source: templarexecs

Why is GDPR particularly relevant to shipping?
Although GDPR will probably affect every organisation that
processes personal data, the shipping industry will be particularly
affected due to the following reasons:
• Even small shipping companies process personal data of their
crew on a daily basis. Most shipping companies keep records of
their crew members between embarkations and for some time
after the last debarkation.
• Personal data processed by shipping companies includes
personal identification documents, bank details, travel
documents, training records but also data considered to be
‘sensitive’ such as medical records.
• Shipping companies receive personal data from many sources such
as the individuals themselves, manning agents, port agents and
other third parties, in the normal course of business.
• They send personal data to many recipients such as port agents,
travel agents and P&I clubs.
• They regularly make data transfers to a large number of
jurisdictions, with particular interest in those made to countries
outside the EU, and in specific, those where certain conditions
must be met in order for the transfer to be allowable.
What should shipping companies do?
1. AWARENESS
It is crucial that shipping companies kick-start their GDPR project
with raising awareness among top management on what GDPR
requires and what the key risks for their particular organisation
are. Engaging the right people at top management level is
necessary to ensure that the organisation commits the necessary
time and resources and develops a culture that respects privacy.
2. TEAM
With the full support of management, organisations need to
assemble a multi-discipline team to run the project ensuring
risk, legal and IT are included. The appointment of a Data
Protection Officer may be required, under certain
circumstances, in which case the organisations need to
consider who that person might be. Trusted external advisors
can bring technical expertise, perspective and help save time.
3. IDENTIFICATION OF DATA PROCESSING ACTIVITIES
It is then time to identify and record the data processing activities,
ensuring that for each activity, the entire data lifecycle is captured
(from collection all the way to destruction). Data processors and
joint-controllers should also be identified at this stage.
4. GAP ANALYSIS AND COMPLIANCE PLAN
Whilst capturing the flows, organisations should look for the
weaknesses in the data flows, evaluate the resulting risk and
respond to that risk with a specific practical plan of action, so that
the risk can be mitigated to an acceptable low level. To identify
weaknesses they will also need to consider their policies and
procedures, their current compliance framework (for example ISM,
MLC etc) as well as tools and enablers, including legal documents
(forms, terms and conditions, etc) and of course the IT environment.
5. IMPLEMENTATION OF CHANGES IN POLICIES,
PROCEDURES, NOTICES, LEGAL, IT
Once the specific action plan is complete, organisations can then
proceed to the implementation phase. This would normally include
making changes in privacy policies, contracts with manning agents,
P&I clubs, information notices to port agents, staff and crew as
well as drafting appropriate consent forms. Implementation could
also include changes in manual procedures, IT security (firewalls,
encryption etc) and business continuity & disaster recovery plan.
External advisors can again help carry out various aspects of the
implementation but also assist in managing the effort.

Source: greece.moorestephens

The new European General Data Protection Regulation (Regulation (EU) 2016/679), will enter into force on the 25th of May 2018, and it is expected to affect businesses, government agencies and organisations, which collect or analyse information of European Union citizens.

The 28th of January each year is the global Personal Data Protection day, which for 2018, has a particular importance because the EU General Data Protection Regulation (“GDPR”) will come into force in May 2018. Stricter rules and higher fines increase the risks of non-compliance. Violations of the GDPR can have a severe impact on companies that handle personal information – both financially, as well as for their reputation.
Meeting GDPR is not just a compliance requirement, but can also lead to a competitive advantage by proving to be a trustworthy employer and business partner for customers.
What is personal data?

Personal data is defined as any information concerning the personal or material circumstances of a person and is associated with the data on employees, contractors and customers. This includes name, address, material conditions, such as health, or IP address.

Certain kinds of data are classified as “sensitive”. These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life.

To help the shipping industry understand and comply with the new GDPR Regulation Maritime Academy is offering a course that will assist those who have day-to-day responsibility for data handling, to implement better its provisions.

The following subjects are discussed and analysed:
Provisions and principles of the new regulation and understanding
What constitutes personal data?
Who does the GDPR affect?
What is the difference between a data processor and a data controller?
Get informed on the rights of the data subjects.
Discuss if you need to appoint a Data Processing Officer (DPO) and
What are his duties and responsibilities?
Hear how to transfer personal data to third countries
The penalties for non-compliance
Learn how to have your Privacy Notice GDPR ready
Understand how to organise an information audit to map data flows and
The use of the Data Protection Impact Assessment (DPIA)
Get informed on how to deal with and report data protection breaches and
Exercise due diligence under the GDPR
Explore other jurisdictions’ data protection laws
Get up-dated on recent famous data breaches

Source: DNV GL Maritime Academy Hellas

The General Data Protection Regulation (GDPR) is the biggest shake-up to data protection laws in Europe in over twenty years. GDPR came into force on 25 May 2018 and is designed to create a single set of requirements across Europe that give individuals more rights and control over how organisations can process and store their personal information.

At Bupa Global we take privacy and data protection seriously. Part of our vision statement is to respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that customers trust us to keep their personal information safe.

We’ve set out below a few FAQs that we have received about Bupa Global’s preparations for GDPR.

How has Bupa Global been preparing for GDPR?

We take privacy and data protection very seriously at Bupa Global. In line with our Bupa Code we respect everyone’s individuality, culture, privacy and dignity. As part of this, we consider information to be key to our business and understand that our customers and our people trust us to keep their personal information safe.

To make sure the business continuously improves, Bupa Global has been preparing for the GDPR for some time by running a readiness programme which brings together privacy, IT, legal and compliance expertise to review our business processes, IT and organisational controls, customer literature, and third party arrangements against the new requirements. Our preparations continue to respond to the evolving regulatory environment and the guidance we expect over the coming months from privacy regulators in Europe and beyond. We see privacy as something that goes beyond GDPR and is a part of business as usual at Bupa Global.

Although the GDPR is European legislation, the changes we are making will in some cases have effect for our customers, suppliers, partners and brokers beyond the UK and Europe.

Does GDPR apply to Bupa Global’s brokers?

It may do.

GDPR applies to data controllers and data processors and can apply to those based within the European Union and outside the European Union. The GDPR will apply to businesses established in the European Union and businesses based outside of the European Union that offer goods or services in the EU or monitor the behaviour of EU citizens, irrespective of whether the business has a presence in Europe.

Under GDPR, is Bupa Global acting as a data processor for its brokers?

Bupa Global cannot provide an absolute answer as arrangements may differ. Bupa Global provides a wide range of services to both individuals and companies. In privacy terms, Bupa Global is generally acting as a data controller when delivering these services, rather than as a data processor.

In order for Bupa Global to provide international private medical insurance services, Bupa Global determines what personal information it requires about individual members. This includes determining the personal information that is required to provide the services and how it is used (e.g. what personal information is used to price premiums and underwrite, how personal information is used to manage claims and provide benefits). When Bupa Global is making these decisions, Bupa Global is acting as a data controller.

We consider that brokers will generally also be data controllers. This is because brokers are usually making decisions about personal information they collect, the purposes for which personal information is processed and the way in which it is processed.

Brokers act as agents of the insured party. Generally, each broker determines what personal information they need to collect prior to providing such personal information to Bupa Global in order to arrange an insurance policy. The broker will retain the personal information and continue to control how it is used (e.g. to send marketing to individuals). On this basis, the broker would also be a data controller.

What does it mean if Bupa Global and a broker are each data controllers?

Under GDPR, where Bupa Global and a broker each act as data controllers, each party has responsibilities for the ways in which we collect, use, store and delete personal information. We each need to determine for ourselves how the law applies to us and what we need to do. For our brokers, this may mean that they need to make some changes to the ways in which they operate, review their current processes and consider their privacy culture.

At Bupa Global, we see compliance with GDPR as part of doing the right thing for customers, rather than just compliance with a legal obligation.

Will Bupa Global be changing its agreements with brokers?

Yes, Bupa Global will be updating our agreements with our brokers as required in order to reflect changes to privacy law under GDPR. This does not mean that all of our brokers will immediately receive new agreements, as we may already have GDPR-ready terms in place.

Will Bupa Global be updating its Privacy Notice?

Yes, we have updated our privacy notice available on our website and are updating all of our guides and other materials in line with GDPR requirements.

Will Bupa Global complete broker’s GDPR readiness questionnaires?

As Bupa Global generally acts as a data controller for the provision of our services, we will not complete questionnaires that are designed to carry out due diligence on data processors. When processing personal information as a data controller Bupa Global has direct legal obligations for compliance with relevant data protection laws as well as complying with our internal privacy standards. We recognise, however, that our customers wish to ensure that all of their service providers are committed to safeguarding information to the highest standard. We are happy to discuss specific areas of concern, and brokers should raise any such issues with their usual Bupa Global contact.

What frameworks are in place to ensure that Bupa effectively manages privacy issues?

Bupa Global’s privacy framework is built out of Bupa’s enterprise level privacy, information security and risk policies.

Bupa Global’s policy and governance structures relating to privacy are designed with the accountability principle of the GDPR in mind.

Our enterprise level policies on information risk and privacy govern the approach Bupa Global takes to ensuring that privacy issues are effectively managed within the business. Regular risk assessments are carried out, which feed into our broader risk registers and committees, ultimately reporting to the Bupa Board Risk Committee.

Source: bupaglobal

The EU Network and Information Security Directive (NIS) requires maritime transport and other essential services to demonstrate that they have implemented ‘appropriate and proportionate’ cyber security measures. The NIS will come into force on 6 May 2018 and the Government has just published a consultation paper on the implementation of the NIS in the UK. The largest port or harbour authorities and maritime transport companies headquartered in the UK will be directly impacted by these new provisions and there will inevitably be a trickle-down effect on small companies that contract with those organisations. The penalties for breach of the new laws will be substantial – 4% of global turnover or £17 million, whichever is the greater. These measures will be in addition to the other new cyber laws, such as the General Data Protection Regulation (GDPR), which are about to come into effect.

Over the last 18 months, the maritime sector has worked hard to focus its response to the growing cyber risk that it undoubtedly faces. In June 2017, we saw updated cyber security guidelines from the International Maritime Organisation (IMO) Safety Committee. These guidelines are tied into the ISM Code. Although the guidelines are currently“recommendatory”, they require cyber risk to be appropriately addressed in safety management systems no later than the first annual verification of a company’s “document of compliance” after 1 January 2021.

Network and Information Security Directive (NIS)

The latest development for UK-based maritime organisations comes with the publication of a Government consultation paper on the implementation of the Network and Information Security Directive (NIS) (EU 2016/1148). This EU Directive, which was approved in 2016, requires “essential services” to develop certain standards of cyber security. The NIS leaves it to individual EU member states to decide how to implement its requirements in their own domestic law. The recent consultation paper sets out the UK’s proposals in that regard.

Maritime transport is listed as one of the “essential services” to which the NIS will apply. Not all operators in this sector, however, will be affected directly by the current proposals that are intended to apply only to the largest operations with headquarters in the UK.

In the UK context, that will mean harbour authorities and ports with annual passenger numbers greater than 10 million or with 15% of the UK’s Ro-Ro or Lo Lo traffic or that account for 10% of UK liquid bulk or 20% of UK bio-mass fuel. Under the Government proposals, the NIS will also impact “water transport companies” that handle more than 30% of freight at any UK port in scope and five million tonnes of annual freight in UK ports as a whole. They will also apply to companies with 30% of annual passenger numbers at any individual UK port in scope and more than two million passengers at all UK ports. As at September 2017, the term “water transport companies” has not been defined.

Despite these limitations on the direct application of the NIS, it seems inevitable that its adoption by large organisations will have a knock on effect on smaller companies that work with or supply those organisations. This is because contracts for the supply of goods and services to the large organisations are likely to be amended to make small organisations responsible for any malware or other breach of cyber security that may be passed up the supply chain.

In addition, the Government is proposing to retain a reserve power to include within the scope of the NIS specific operators that do not meet the thresholds set out above, but which are still considered to provide an essential service.

Failure to comply with the NIS will, it is proposed, expose companies to very significant financial penalties of up to £17 million or 4% of global turnover, whichever is the greater.

Companies will be exposed to those fines if they “fail to implement appropriate and proportionate security measures”.  These requirements are in addition to other provisions relating, for example, to GDPR.

The consultation paper does not set out in any detail the measures that the Government will expect to see implemented. Rather, the Government proposes to:

“… set out the high level security principles which will be complimented by more detailed guidance, that will be either generic or sector specific. … These principles describe the mandatory security outcomes that all operators will be required to achieve”. 

The Government’s view is that operators of essential services are responsible for managing their risks and will need to implement security measures in line with the high level principles established for the purposes of NIS, having regard to the more detailed sector-specific and generic guidance to be published by the relevant NIS competent authorities. It is clear, however, that the new rules will cover governance, risk management, asset management and supply chain issues. In addition, there will be a mandatory incident reporting regime (that will be additional to existing reporting requirements and recommendations).

The consultation closes on 30 September 2017 and the Government will issue its further directives thereafter, with the intention that the scheme should go live from May 2018.

Although NIS is an EU Directive, its implementation by the UK Government will not be affected materially by the UK’s departure from the European Union.

Source: incegd

Two years to go. The International Maritime Organization (IMO) encourages ship owners and managers to have incorporated cyber risk management into ship safety by the 1st of January 2021. But what does that mean? And how to address maritime cyber risks?

Digitalization

The maritime sector is on the verge of a digital disruption. Digitalization is increasingly considered one of the key solutions to the many significant challenges the sector is facing, ranging from overcapacity, low margins, regulatory pressure, and lack of efficiency, to new digital demands from customers. Although digital transformation of the maritime sector is still in its infancy, it’s safe to assume that digitalization will have a major impact on operations and existing business models in the years to come.

But fast-moving changes do not come without risk. Industrial automation and control systems that were once isolated and deemed secure, are increasingly being connected to corporate networks and the Internet. Individual devices across enterprise Information Technology (IT) and Operational Technology (OT) networks – from smart digital equipment and tools to navigation, engines and more – will present potential new pathways to cyber attacks and incidents on vessels.

First steps towards regulation

This has driven IMO to issue the Resolution on Cyber Risk Management. The resolution “encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems” by 2021.

While that does not sound too obligatory, potential implications of inappropriate cyber risk management are obvious, as it may lead to, for example:

• Increased (unforeseen) expenses;
• Operational loss due to incidents;
• Safety and personnel damage;
• Limited competitive edge.

But potentially, consequences are more widespread. Lack of compliance with these requirements may also lead to increased insurance fees, port access denial and even detention of ships, again meaning huge financial losses for their owners.

It is expected that, though for now just a recommendation, the IMO Guidelines can become the GDPR for the maritime sector: that regulation where noncompliance potentially affects your license to operate – and that regulation that seems difficult to get a grip on.

As cyber security may not be the core business of most maritime organisations, proper guidance on efficiently incorporating cyber risk management is needed. This is where KPMG offers its global expertise on cyber security advisory and digital risk management for the maritime sector.

Addressing cyber risk

KPMG’s solutions aim at letting maritime organisations manage cyber risk in the way that is intended in, for example, the IMO Guidelines on Maritime Cyber Risk Management and the BIMCO Guidelines on Cyber Security Onboard Ships. This includes:

• Identify: To be able to identify and manage risks and turn them into business advantages, you first need to understand your connected landscape and identify the most relevant threats and highest risks for your environment.
• Protect: Once you understand your maritime IT and OT landscape and the impact and risks of the different systems within, you can take appropriate measures to protect it where relevant.
• Detect: Having identified and designed the controls and measures to protect your environment, it is important to monitor them. By monitoring network traffic, logs and end-points, you can better detect cyber incidents.
• Respond: When an incident happens, getting back to business as usual is key for your business continuity and safety. Hence, cyber response processes should be ‘second nature’ for your organization.
• Recover: After the heat of the incident is over, and business is as usual, it is time to gain an understanding of the situation and evaluate the current security measures to prevent similar incidents in the future. At this stage you will need to answer stakeholder questions about the incident and identify lessons learned.

Sailing high wind with cyber security will enable you to harvest benefits from digitalization and reduce unnecessary costs. Today’s cyber risk posture in the maritime sector, as well as upcoming regulations, demand a strong approach towards identifying those cyber risks that matter most, and addressing them in the most cost-effective way. This asks for scalable and data-driven solutions to automatically identify and address risks.

Source: linkedin

Introduction

The EU General Data Protection regulation (GDPR) was approved by the EU parliament on 14 April 2016 and comes into force on 25 May 2018. This piece of legislation introduces a new data protection framework to be applied to all the EU member states. This new regime – indeed much more severe and cogent than the existing one – aims to provide a greater amount of rights on individuals in relation to their data. As a result, the amount of obligations upon the organizations with regard to storage, collection, and treatment of personal data will definitely increase. One of the key changes is certainly the consequences in case of GDPR breaches. Fines for non-compliance, in fact, may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches.

What is Personal Data?

Pursuant to article 4 of the GDPR, personal data means any information relating to an identified or identifiable natural person, so-called data subject. A natural person can be identified by an identifier such as a name, identification number, location data or through factors specific to social identity. Further to this, Special Category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic and medical information. Organizations are subject to additional obligations while processing these special data.

When does an organization “Process” Personal Data?

Processing personal data means to perform an operation related to certain personal data; for example, by using, deleting, amending or disclosing such personal data.

Why the Shipping Industry will be affected by the GDPR?

Shipping companies store and handle a great amount of personal data, for instance passenger information, crew member details, travel documents, training records, bank details and other information gathered in the ordinary course of business. Moreover, shipping companies are likely to share this information with third parties such as port agents and P&I clubs.

Not only shipping companies will be subject to the GDPR. Brokers, surveyors, agents, correspondents, external services providers, very often deal with personal data, sometimes also sensitive ones. For instance, a personal injury claim or a claim involving a minor; in this case, the claimant – i.e. the data subject – will enjoy the right conferred by the GDPR.

To whom the GDPR applies to?

The GDPR applies to people of all nationalities when their personal data is processed by an organization established in EU. Also, the GDPR applies to non-EU organizations when they process personal data of people who are based in EU.

What are the consequences of failing to comply with the GDPR?

Indeed, the GDPR introduces draconian punishments. Fines for non-compliance may reach up to either Euro 20 million or 4 % of the annual turnover (whichever is higher) for serious breaches. For less serious offences, fines can reach up to Euro 10 million or 2% of turnover.

Apart from pecuniary punishments, non-compliance with the GDPR might keep the faulty organization away from important business opportunities in the future. Indeed, without mentioning the reputational consequences of a data breach, the GDPR compliance might become a paramount requirement for the companies in order to take part to the EU public contract tender, or in order to contract with companies siting in EU.

What should an organization do?

In order to comply with the GDPR, an organization should follow these 8 practical and essential steps:

1. Awareness: be aware that the law is changing to the GDPR. All the people of an organization must understand the impact of this new piece of legislation.
2. Information audit: assess what personal data the organization holds, where it comes from and who it is shared with. The audit is usually conducted by a legal team or professional firms with expertise in privacy matters.
3. Draft privacy notice: after the audit is concluded, it is possible to draft a tailor-made privacy policy according to the types of personal data that the organization process. Certain organizations are advised to draft several privacy policies, for example, one which contains specific wording where special category data is collected, another one for commercial use, and another one for HR purposes.
4. DPO: where appropriate, appoint a Data Protection Officer (DPO). An organization is required to appoint a DPO – i.e. someone to take responsibility for data protection compliance – where carries out the regular and systematic monitoring of individuals on a large scale or, carries out the large-scale processing of special categories of data such as health records, or information about criminal conviction. A competent external DPO can bring technical expertise and help to save time.
5. Consent: review how the organization obtains, records and manages consent. Consent must be specific, granular, clear, prominent, properly documented and easily withdrawn.
6. Individuals’ rights: check the procedure and be sure that they cover all the rights that individuals have. According to the GDPR, individuals have the right to: be informed, access, rectification, erasure, object and restrict processing. Therefore, the organization, for instance, should be ready to react if someone asks to have their personal data delated or modified.
7. Data Breaches: make sure that the right procedures are in place to detect, report and investigate a personal data breach, so-called Incident Report Plan. Authorities must be notified of any breach of the regulations within 72 hours of the event.
8. Training: ensure that organization personnel is trained about the GDPR compliance. A GDPR crash course along with periodic training would be appropriate in certain circumstances.

Will the GDPR affect the data that a ship uses and shares?

Yes, in so far as such data is considered Personal Data pursuant to article 4 of the GDPR.

Is a commercial data (B/L, Data of Vessel) subject to GDPR?

No, unless commercial data includes personal data.

Are the GDPR fines excluded from a P&I cover?

No. However, cover for such fine would indeed requires that all the reasonable steps to avoid the breach had been taken.