The General Data Protection Regulation (the Regulation or GDPR) comes into effect on 25 May 2018. The Regulation is arguably the most seismic change in European Union (EU) data protection law in over 20 years and will present major challenges for businesses operating within the shipping sector. The GDPR introduces a raft of new or enhanced obligations for organisations to grapple with, whether they are a “controller” or a “processor” of personal data. Under the new regime, maximum fines for non-compliance will be 4% of annual worldwide turnover or €20 million, whichever is higher. Combined with the risk of reputational damage, the consequences of failing to comply could be severe.
With just six months to go before the Regulation is in effect, advance preparation is key. In this briefing, we highlight six key areas that shipping companies, their insurers, and service providers should be aware of, along with recommended practical steps to aid compliance.
Does this apply to me?
The GDPR applies to all organisations that are “established” within the European Economic Area (EEA). Organisations that operate through an EEA affiliate or branch office and process personal data in the context of their operations will be deemed “established,” as will any organisation that operates “through stable arrangements” such as by appointing a local agent or representative to act on its behalf.
The GDPR will, however, also apply to organisations that are not established in the EEA, where they:
- offer goods and services to individuals within the EEA (whether or not for payment) or
- are subject to EEA laws by virtue of international law, for example where a ship is flagged with an EEA Member State registry.
If any of the above criteria apply, you will be caught by the GDPR regardless of where in the world the processing takes place.
When do I need to comply?
All organisations are required to be compliant by 25 May 2018.
What are some of the key changes?
1. New obligations for data processors
EU data protection laws are oriented around the concepts of “data controllers” and “data processors.”
- A “data controller” is any person or organisation that, either alone or in combination with others, decides how and why personal data is processed.
- A “data processor” is any person or organisation (apart from an employee of the data controller) that processes personal data on behalf of the data controller.
The distinction matters because, historically, only data controllers have had regulatory responsibility to comply with EU data protection laws. Under the GDPR, data processors will be directly regulated for the first time and will acquire many of the same obligations that apply to data controllers.
Whether an organisation is a “controller” or a “processor” depends on the circumstances. It is common for organisations to act in either or both capacities, depending on the specific data processing activity. In some cases, it will be obvious which category an organisation falls within. For example, an employer is usually considered to be a controller of its employees’ personal data. In other instances, it will depend on the context.
Within the shipping industry, the delineation can be more difficult to determine, since a supply chain service provider, such as a management company, could be exercising so much autonomy over the personal data that it could be considered a controller in its own right, even though the processing is ostensibly only for the benefit of its client.
This change will likely impact the dynamic between controllers and processors as each party seeks to ensure that its contractual arrangements reflect an appropriate apportionment of responsibility.
2. Appointment of processors and sub-processors
Once the GDPR is in force, data controllers will have to ensure that any organisations they appoint to process personal data on their behalf (“processors”) “provide sufficient guarantees to implement technical and organisational measures which will meet the requirements of the GDPR.” In practice, this means undertaking thorough due diligence when selecting service providers or subcontractors.
Controllers will also have to put in place a data processing agreement with each such processor that contains, as a minimum, specific obligations that are set out in Article 28 of the GDPR.
Data processors, in turn, will not be allowed to subcontract to third parties (“sub-processors”) without authorisation from the controller and only then if the processor enters into an agreement with its sub-processor which is back to back with the processor’s own contract with the controller.
Existing supplier arrangements will therefore need to be reviewed to ensure that they are compliant.
The new principle of accountability means it will no longer be sufficient to comply with data protection laws—organisations will also need to be able to demonstrate compliance.
As part of meeting this new accountability requirement, organisations will need to have appropriate policies and procedures in place to document how they can meet GDPR requirements. For example, failing to have a policy in place that tells employees how to report a data security breach may itself breach the accountability principle, even if no security breach occurs.
Other aspects of accountability are the principles of “privacy by design” and “privacy by default.”
- “Privacy by design” means that privacy needs to be factored in from the outset of any process, initiative, or policy involving the handling of personal data and not treated as an afterthought.
- “Privacy by default” means that the default position should be that any personal data processing activities should be conducted in the least privacy-invasive way.
As shipping companies continue to embrace new technologies, including increased automation, new data risks emerge. Additionally, the international nature of shipping, combined with increased fragmentation and complex supply chains, inevitably leads to data needing to be shared between many stakeholders. The use of data protection impact assessments can be a useful tool in assessing (and documenting) the privacy impact of any process, initiative, policy, or set of contractual arrangements that involves the processing of personal data.
Another aspect of accountability is the duty for organisations that process personal data on a large scale (for example relating to passengers, crew, suppliers, customers and / or contractors) to appoint a data protection officer (DPO).
4. Enhanced individual rights
The GDPR introduces new and enhanced rights for data subjects. As well as rights to access personal data that an organisation holds about them, individuals will have the right to rectify inaccurate data that is held about them or require its erasure (also known as “the right to be forgotten”). Individuals will also have the right to object to their data being processed for particular purposes (for example, direct marketing and/or profiling purposes). Organisations should therefore start planning now to ensure appropriate policies are in place to ensure that they can comply with these new obligations.
A duty to maintain appropriate measures to safeguard personal data against unauthorised use, or accidental loss or damage, remains at the heart of the GDPR. With cyber-attacks increasing and becoming ever more sophisticated, organisations will need to be even more prepared for such an eventuality. Part of the cyber risk management strategy should include implementing a cyber response policy and ensuring it is well understood within the organisation as well as having appropriate cyber insurance policies in place.
6. Reporting Requirements
The GDPR requires data controllers to notify data breaches to the national data protection authority (DPA) “without undue delay” and, in any event, within 72 hours if possible. In turn, data processors must notify the relevant data controller of any data breaches “without undue delay.” Certain minimum information (including details of the nature of the breach, its likely consequences, the measures proposed or taken to address the breach, and the data controller’s contact details) must be included in the breach notification.
Where an organisation cannot notify the DPA within these timescales, they will be required to explain when they make the notification why it was not possible to comply with the mandatory timescales. Since organisations may be reliant on others to identify a data breach (for example, employees and suppliers), having a data breach response policy is essential. Employees and contractors should be given appropriate training in how to identify and report a breach, and data breach response should form part of an organisation’s crisis response strategy.