The EU’s incoming General Data Protection Regulation (GDPR) is wide-reaching, and lack of compliance could mean heavy penalties for shipping companies
Shipping companies will soon have to face up to the realities of a new EU regulation aimed at strengthening and unifying data protection. The General Data Protection Regulation (GDPR), which will come into force across the European Economic Area (EEA), and for a large amount of businesses established outside of it, from May 25, 2018, will increase requirements on data controllers and give data processors data protection requirements. The new legislation builds on the EU’s data protection directive from 1995.
Brokers, charterers and ship operators who have not previously heard of the new act may be unsure about their obligations. Anthony Woolich and Felicity Burling, partner and associate at law firm HFW respectively, explain: “For example, in accordance with a new focus on accountability, data controllers and processors will be required to keep records of their processing. Contracts with processors will need to be updated to include new mandatory provisions. Privacy notices will need to be updated.
“‘Consent’ will be more difficult to obtain and may need to be refreshed. Principles of ‘privacy by design’ mean that organisations must look at their processing and assess whether it is really necessary. Under the new definition of personal data, online identifiers such as cookies and IP addresses can make an individual ‘identifiable’. The definition of ‘sensitive’ personal data also contains new elements such as genetic data.”
The need for awareness
Because the act is an EU directive, businesses may understandably think that the terms of the legislation do not apply to their international organisation. However, Mr Woolich and Ms Burling advised shipping businesses to tread carefully when it comes to this opinion.
All EEA Member States will have a data protection law to lay out their enforcement mechanisms and to use their discretion on certain GDPR areas
“The GDPR applies to a non EEA organisation if it has a presence in the EEA, or it monitors the behaviour of individuals within the EEA (for example via cookies) or it offers products or services to individuals within the EEA. It also applies where EEA Member State law applies in accordance with international law,” they said.
“Coupled with the fact that the GDPR also imposes obligations on processors, this EU Regulation significantly widens EU regulators’ jurisdiction.”
UK businesses thinking that Brexit will be their get-out clause from the directive are also misguided. Mr Woolich and Ms Burling explained that all EEA Member States will have a data protection law to lay out their enforcement mechanisms and to use their discretion on certain GDPR areas, where this is allowed.
“The GDPR will be specifically incorporated into UK law by a new Data Protection Bill which is intended to go beyond the GDPR in setting ‘the gold standard on data protection’,” Mr Woolich and Ms Burling said.
“For example, the UK Bill will introduce criminal offences for intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and for altering records with the intent to prevent disclosure following a subject access request.”
Lack of compliance with the GDPR could result in heavy penalties. National supervisory authorities will be able to impose fines of up to E20m, or 4% of a business’ total worldwide turnover of a business during the preceding financial year – depending on which is higher. Member States will also need to set rules on other penalties for infringement of the Regulation and will also be required to take “all measures necessary to ensure that they are implemented”. These penalties are required to be “effective, proportionate and dissuasive”.
However, according to Mr Woolich and Ms Burling, there are significant benefits to shipping companies that take the new legislation into account.
“Getting this right means that businesses are more likely to attract and retain their clients and customers,” they said.
“Marketing will be more effective and efficient and businesses will be better able to gain and maintain the trust of clients and employees alike.”
Applying the Regulation to businesses
To ensure that businesses take effective steps to apply the new directive, Mr Woolich and Ms Burling offered advice on making operations compliant with the new standards, focusing their guidance on five major action points: conducting a data audit; drafting or amending policies or procedures; informing individuals about processing through fair processing notices; amending or implementing contracts with data processors; and appointing a data protection officer.
The pair explained that data controllers and processors must keep records of their personal data processing.
“Analyse your systems and practices to check what personal data you process, why and how you use them, where they are stored and whether you still need them,” they advised. “Check whether you process them in accordance with one of the permitted legal grounds (e.g. has the individual given their consent, or is the processing necessary for the performance of a contract with the individual, or necessary for a legitimate business interest?).
“‘Sensitive’ personal data is subject to stricter rules and processing usually requires the individual’s consent.”
When looking at policies and procedures, Mr Woolich and Ms Burling highlighted how the GDPR strengthens and increases individuals’ rights. Within its remit, the GDPR strengthens the rights for people to have personal data deleted or frozen, adds the right for someone to request that electronically-stored personal data be transferred to a different data controller, and reduces timelines for compliance with individuals’ requests. Data controllers will have new obligations to report personal data breaches to relevant data protection authorities within 72 hours, and to tell the individuals concerned about the breaches (if they are high risk) “without undue delay”.
“It introduces a new concept of ‘privacy by design’, which requires businesses to think about protecting individuals’ privacy at the very beginning of any new project and to conduct “privacy impact assessments” calculating the potential risks to individuals’ privacy rights,” Mr Woolich and Ms Burling said. “Businesses will need to update (or draft) policies and procedures to ensure compliance with these obligations.”
A further piece of advice concerned fair processing notices.
“Individuals must be kept informed about the processing of their personal data,” they said. “The GDPR increases the amount of information which must be included in these notices.”
Privacy policies will need to be updated and businesses will need to amend (or draft) notification forms.”
Regarding putting contracts in place with data processors, Mr Woolich and Ms Burling explained: “The GDPR requires data controllers to have contracts in place with all of their data processors, containing certain elements specified in the GDPR.”
For the last point, the pair noted: “Many businesses will be required to appoint data protection officers, or may choose to do so voluntarily, given the increased risks associated with data protection.”