Shipowners are heading into uncharted and potentially costly waters over new European Union (EU) data laws.
The General Data Protection Regulation (GDPR) enters into force in May as part of the strengthening and unification of data security and privacy rights for all EU citizens.
Most of the GDPR principles are already present in the current law, but the GDPR strengthens both this law and the authorities' tools for enforcement of it.
This means a number of shipping companies are facing a shock in May, according to Felicity Burling, an associate at law firm HFW.
"There's a whole menu of measures required in order to be compliant with the GDPR," she told TradeWinds. "Apart from cruise lines, the shipping industry appears to be a bit behind on this."
The cruise industry has adapted quickly because it is used to dealing with customer data, the company believes.
But business-to-business, ie cargo shipping, is also affected, Burling explained. Employee and crew details, as well as names of counterparties' staff, are all personal data.
Companies cannot hold personal data any longer than it is needed. For example, if a crew member left a vessel and there was no legal or practical need to hold information on that person, the data should be destroyed.
Time to start work
"There is a lot of work to do and a lot to think about for these companies," Burling added.
She added that new staff may need to be taken on to deal with GDPR.
"The kicker is the penalty for breaches of a fine equal to 4% of revenue or EUR 20m ($24.9m), whichever is greater.
"A local data protection authority can ask to see records of what personal data is being processed and what is being done with it. 'Processing' means essentially anything you can do with data - anything short of dreaming about it."
"Many companies in the shipping sphere don't seem to be aware of it."
The first step is for a company to audit what personal data it holds, how the personal data is being used and who it is being shared with, and to work out what the organisation's lawful bases are for processing it. Personal data cannot be collected and processed without a lawful basis for doing so, HFW warned. Policies and privacy notices should then be updated.
Brexit not an issue
Surprisingly the issue of Brexit for British companies is cut and dried in terms of GDPR: the UK is keeping the legislation.
"Businesses would be crippled if the UK did not keep the GDPR or an equivalent. There would be a lot more red tape on the exchange of data with EU companies," Burling said.
"There is a sea change globally. Data protection is being tightened up more and more across the world, so you might as well adopt the tightest restrictions."
Accountability important
GDPR puts a lot of emphasis on demonstrating and documenting compliance – it is no longer enough just to comply; organisations must now prove that they are compliant.
The rules cover all information about identified or identifiable living individuals which is kept in an automated or manual filing system, where personal data is accessible according to specific criteria.
This could include sets of manual records ordered chronologically which contain personal data. Personal data includes information from names and email addresses to more sensitive things like health records.
It also maintains the rules on the export of personal data outside the European Economic Area (EEA), but increases the potential fines for non compliance.
HFW said the rules apply to any business that is established in an EU member state, or if it is established in a place where an EU member state's laws apply, or if it offers goods or services to individuals within EU countries, or if it is monitoring individuals within the EU (eg by using internet browser cookies).
In shipping, GDPR could potentially apply if a vessel's flag state is an EU country, or if either the operator or owner has operations in any EU countries.
HFW believes the potential exposure for shipping organisations is vast. Shipping companies often collect a lot of personal data, from email addresses of business contacts and counterparties to vessel crew and passenger information, as well as information about their own staff.
Much of this information is likely to cross national borders and be exposed from time to time to physical and cyber security risk.
Hapag-Lloyd ahead of the game
Another UK lawyer told TradeWinds that its clients seemed to be well prepared for the changes and had been working on them for some time.
One example of a shipowner preparing early is Hapag-Lloyd, which set up a comprehensive GDPR project in spring 2017.
It told TradeWinds: "We set up different work streams that assess and adjust the IT infrastructure, our business procedures and governance structures. In addition to these joint efforts implemented to ensure full GDPR compliance, we started an awareness campaign that aims to make sure that all employees know their specific roles and responsibilities."
Hapag said that as a container shipping line with a highly integrated IT infrastructure, it operates its central IT systems from within the EU.
"We have therefore committed ourselves to comply with the GDPR across the entire Hapag-Lloyd organisation, and not only inside the EU," it added.
"These rules apply unless stricter national or international rules, e.g. the US NIST Cybersecurity Framework rules, set higher standards that we must adhere to."
The company has established an internal corporate data protection organisation (CDPO).
Guided by the CDPO office at the Hamburg headquarters, it has installed regional and local data protection officers who are continuously trained in EU data protection compliance.
