Businesses now have less than two months to prepare for the greatest change to European data protection rules in two decades.
The EU General Data Protection Regulation (GDPR) becomes effective from 25 May. It will apply to a large number of shipping organisations — even those based outside the European Economic Area (EEA).
With the risk of large potential fines of up to 4% of global turnover, or €20m ($24.8m) — whichever is greater — potential claims from individuals and reputational damage, the shipping industry needs to act now in order to be prepared.
Here's a checklist to determine whether the GDPR applies to your company:
- Are any of your vessels flagged within the EEA?
- Is your website directed towards customers based in the EEA, for example by giving an option to choose a "UK" setting, an EEA currency, or a particular language? Can your services be bought from within the EEA?
- Do you have a registered establishment or an office in the EEA?
- Is your business currently registered with an EEA data protection authority, such as the UK's Information Commissioner's Office?
- Do you use service providers located in the EEA?
- Do you monitor the behaviour of any individuals within the EEA (irrespective of their nationality or habitual residence)? For example, if your website uses tracking cookies, then you are "monitoring individuals" for the purposes of the GDPR.
If the answer to any of these questions is "yes", then it is likely that the GDPR applies to you.
The GDPR introduces a host of new obligations and requirements with which businesses must comply.
Key action points to get you started:
1. Conduct a data audit. Shipping organisations may collect a lot of personal data, from email addresses of business contacts and counterparties, to vessel crew and passenger information. Analyse your systems and practices to check what personal data you process, why, how you use it, where it is stored and whether you still need it. Make sure to document your findings and decisions.
2. Draft or amend policies and procedures. The GDPR strengthens and adds to individuals' rights, and imposes new obligations on all data controllers in relation to reporting personal data breaches. Businesses will need to update or draft policies and procedures to ensure compliance with these, and other, obligations.
3. Inform individuals about your processing through fair processing notices. The GDPR increases the amount of information that must be included in these notices. Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.
4. Amend or put contracts in place with all data processors.
5. Appoint a data protection officer. Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.
6. Finally, train your staff. Staff awareness is a crucial requirement of the new regulation. HFW has launched a 35-minute awareness course for all staff covering the GDPR, data protection best practice and the potential consequences of compliance breaches.