GDPR and Shipping Industry
Organisations in the shipping industry may collect a lot of personal data, from email addresses of business contacts and counterparties to vessel crew and passenger information, as well as information about their own employees. Crew and contractors are vetted and managed. Immigration law obligations in numerous jurisdictions require certain personal information to be shared. Every business transaction involves interaction with individuals working for corporate counterparties. Much of this information is likely to cross national borders and be exposed from time to time to physical and cyber security risk. Once the GDPR applies, and the risk of large fines and reputational damage increases, breach of the data protection rules could potentially sink the business (or at least cause it to take on water).
Does the GDPR apply to my business if it is not based in the EEA?
The GDPR applies to all organisations "established" within the EEA, i.e. any organisation which has a "real and effective activity, even a minimal one, exercised through stable arrangements". If you have an office or regular operations in the EEA, and process personal data in the context of that office or those operations, then the GDPR is likely to apply to your business. The fact that the processing itself actually takes place outside of the EEA would not be material.
The GDPR will also apply to organisations established outside of the EEA if certain conditions apply, including where they monitor the behaviour of individuals within the EEA (for example, via cookies), offer goods or services to individuals within the EEA (note that if you offer goods or services to a business that business has individuals within it) or where EEA Member State law applies in accordance with international law, e.g. where a vessel is flagged with an EEA Member State registry.
Particular factors to consider when determining whether the GDPR will apply are:
- Are any of your vessels flagged within the EEA?
- Is your website directed towards customers based in the EEA, for example by giving an option to choose a "UK" setting, an EEA currency, or a particular language?.
- Can your services be bought from within the EEA?
- Do you have a registered establishment or an office in the EEA?
- Is your business currently registered with an EEA data protection authority, such as the UK's Information Commissioner's Office (the "ICO")?
- Do you use servers located in the EEA?
- Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are "monitoring individuals" for the purposes of the GDPR.
If the answer to any of these questions is yes then it is likely that the GDPR applies to you.
So the GDPR applies to my business - what next?
The GDPR introduces a host of new obligations and requirements with which businesses must comply.
First, some essential terminology: "data controllers" make the decisions on how and why personal data are processed. "Data processors" only process data on the instructions of the data controller. "Processing" means any action involving personal data, including merely storing it. "Personal data" means any information relating to an identified or identifiable natural (living) person (a "data subject"). Under the new definition of personal data, online "identifiers" such as cookies and IP addresses can make an individual "identifiable". "Sensitive" or "special category" reveal information such as an individual's health, race or ethnicity, religious beliefs, ethnicity or sexual orientation.
A full list on how to comply with the GDPR requires more space than is available here, but five key action points are as follows:
- Conduct a data audit. Data controllers and processors alike are required to keep records of their personal data processing. Analyse your systems and practices to check what personal data you process, why, how you use them, where they are stored and whether you still need them. Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest). "Sensitive" personal data are subject to stricter rules and processing usually requires the individual's consent. Note that "consent" is more difficult to obtain under the GDPR regime than under the UK Data Protection Act 1998 which implements the current EU data protection regime. Criminal records of employees or service providers can only be processed in accordance with specific EEA Member State laws. Document your findings and decisions.
- Draft or amend policies and procedures. The GDPR strengthens and adds to individuals' rights, for example it strengthens the rights to have personal data deleted or frozen, adds a new right of "data portability" where an individual can request that personal data stored electronically be transferred to a different data controller, and shortens timelines for compliance with individuals' requests. It also imposes new obligations on all data controllers to report personal data breaches to relevant data protection authorities within 72 hours, and to report breaches to individuals concerned (if the breach is high risk) "without undue delay". It introduces a new concept of "privacy by design", which requires businesses to think about protecting individuals' privacy at the very beginning of any new project and to conduct "privacy impact assessments" calculating the potential risks to individuals' privacy rights. Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.
- Inform individuals about your processing through fair processing notices. Individuals must be kept informed about the processing of their personal data. The GDPR increases the amount of information which must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
- Amend or put contracts in place with data processors. The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.
- Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.
Overnight, the consequences of a cyber breach and the risk associated with the loss of sensitive data will become far more wide reaching. Vincent Vandendael, Chief Commercial Officer at Lloyd's, sets out key tips that businesses should consider to protect themselves ahead of the GDPR's introduction.
1. Invest in cyber security
Companies that can demonstrate they have taken steps to protect themselves from attack will be looked on more favourably by regulating authorities. A recent survey by Lloyd's showed that 92% of European respondents said that their company had suffered a data breach over the past five years, proving that it is a matter of when and not if a business becomes a victim of a cyber-breach or attack. Making sure businesses have appropriate procedures in place and the right tools at your disposal to reduce this risk is a worthwhile investment and a small price to pay.
2. Take up cyber insurance Companies need to ensure they are best prepared to mitigate the risks arising from a cyber attack. Taking out insurance should now be seen as that first critical step. The benefits mean your balance sheet can be protected by not just having a financial pay-out after things have gone wrong, but also having expert consultancy available to improve security and on-the-ground support during the period of crisis. By working with cyber security experts and insurers, businesses can better understand the risks they face and help mitigate them in order to protect their reputation.
3. Report breaches responsibly
As part of the new regulations, businesses will have a duty to report data breaches within 72 hours and failure to do so could result in a fine, as well as a fine for the breach itself. Organisations that fail to comply with the GDPR or experience a data breach could face fines of up to €20m (or 4% of its annual global turnover) in the most serious cases. Cyber-security experts NCC Group have estimated that fines from the Information Commissioner's Office (ICO) against UK companies last year would have been £69m rather than just £880,500 if the GDPR had been in force. In some cases, businesses will also be obliged to contact individuals whose data has been obtained because of a breach. Having sufficient procedures in place to effectively detect, report and investigate a personal data breach is paramount.
4. Understand the risks
Do not just leave it to the IT team. Everyone in the business should be aware of the changes and the C-suite must lead from the front in demonstrating how seriously these issues must be taken. You need to understand the risks that breaches present, how to avoid them and what to do when it happens. Ensure that everyone is briefed and understands how this affects their role moving forward. Pleading ignorance will not spare you a fine.
5. Regularly review procedures
Once you have everything in place ahead of the introduction of GDPR, do not be complacent. Some 15 years ago technology played a marginal role in our lives. Today it is part of everything we do and the risks and threats that exist are evolving just as fast as the technological solutions we rely upon to prevent cyber incidents. To ensure you are prepared, introduce regular audits to ascertain whether the procedures in place are working and what improvements could be made so you remain compliant and mitigate risks.