North P&I Club has highlighted the steps to be taken by the shipping industry to meet its obligations under the upcoming EU General Data Protection Regulation (GDPR), which enters into force in May 2018.
Against a backdrop of increasing digitalisation, the GDPR will update and enhance current data protection legislation by requiring businesses who deal with EU citizens to be transparent about how they use their data. The costs of non-compliance are potentially very high, as the new legislation will give regulators the ability to fine businesses who do not comply with the GDPR requirements up to 4% of their worldwide turnover.
North Club hosted a seminar and panel discussion on the GDPR at the Yacht Club of Greece in Piraeus focusing on how the industry could prepare for this legislation.
“The GDPR is an extensive piece of legislation and we believe GDPR preparedness should be regarded as a project, rather than a discrete piece of work. A designated person, people or function should have oversight of and accountability for GDPR readiness. However, engagement with all business units is essential, as it is likely that almost all business functions will have some access to personal data and undertake some processing of it,” explained Adrian Durkin, Director (Claims) at North P&I Club.
A key first step in preparing for the GDPR, according to Mr. Durkin, is a data audit to determine what personal data is held within each business area, where data is received from and where it is sent to, which third parties or organisations. That facilitates an assessment of how the use of that data is considered to be lawful under the GDPR.
“The outcome of the audit enables organisations to consider how they will meet the key GDPR requirement of informing individuals about how their data is being used to achieve the transparency envisaged by the GDPR. This will also enable individuals to make an informed choice about whether they are happy with how information about them is being used by organisations.”
“It is important to be aware that the GDPR also applies when you receive personal data indirectly through another company or individual, so you need to make sure that you understand and document the arrangements with other organisations so you are both clear about your data protection obligations,”he added.
The seminar also looked at GDPR from a P&I perspective. In North’s view, GDPR liabilities are not excluded from P&I cover, but the circumstances when a fine for a GDPR breach might form the basis of a P&I claim are likely to be limited.
The Club points out that any violation of a GDPR obligation may constitute a breach. Indicatively, a breach could be:
- not implementing adequate security measures,
- not discharging Data Controller’s obligations,
violating or not allowing the exercise of rights vested with data
subjects, - not fulfilling the requirements for transferring data
outside the EU, - not abiding by the principles and rules for lawful
processing of personal data, etc.
The GDPR applies to all companies, including those with less than 250 employees (SMEs). However, SMEs are not required to maintain the record of processing referred to under article 30 unless the processing is large scale or involves special category or criminal records data.
Note that the GDPR allows individual EU member states to consider whether they wish to amend the GDPR requirements for SMEs so you should check whether any guidance has been or will be issued by your supervisory authority.
Further details about the General Data Protection Regulation (GDPR) may be found be reading the following FAQs by the North P&I Club
For the US and North American markets, GDPR compliance is becoming quite challenging as companies are struggling immensely with scoping issues and documentation issues. More specifically, I’m finding that controllers and processors are unclear at times as to what’s in scope, then further challenged by the complete lack of policies and procedures in place. I look at GDPR compliance as a two-fold process, and that’s (1). Putting in place the actual processes and best practices, and then (2). Documenting such processes and practices with well-written, factual policies and procedures.
The amount of time and money that organizations are spending on policy creation, along with acquiring additional tools for GDPR compliance is quite staggering, but again, it’s got to be done. Hopefully, as time passes the EU will provide better guidance on many of the articles that are currently somewhat vague. This has been done to obviously account for the large number of industries that need to become compliant. Well, good luck to everyone’s GDPR compliance issues and do all you can for meeting the deadline of May, 2018.