The General Data Protection Regulation EU 2016/679 (GDPR) came into force on the 25th of May 2018, to protect the personal data of European Union individuals. The GDPR applies across a wide range of sectors. In the shipping industry, the processing and transfer of personal data is daily.
The GDPR does not apply only to EU organizations and companies. For instance, where organizations and businesses provide commodities or services to EU individuals, or monitor the behavior of individuals within the EU, while being located outside of the EU as for example in the United Arab Emirates or China, the GDPR does apply to them as well. As a result, the scope of applicability of the GDPR is global and therefore, the shipping industry is particularly affected by its global reach.
Shipping organizations and companies both store and process personal data, such as, crew and passenger data, identification documents, bank account details, travel documents and sensitive personal data, such as, medical records or information regarding injuries. Some of the above will likely be shared with third parties, manning agents, port authorities and agents, P&I clubs, inspectors, travel agents and will eventually cross borders. Therefore, GDPR compliance in the shipping industry is complex, essential and desirable.
Many provisions protecting personal data were already in force through national and international laws yet, the aim of the GDPR is to push for the implementation of stricter security measures in the handling and processing of the personal data of individuals (i.e. the data subjects) whilst also imposing hefty fines to those who fail to do so. According to Article 83 of the GDPR, organizations that are not in compliance with the regulation, face fines, calculated on their global annual turnover, of up to 4% or €20 million, whichever is greater. For less important violations, the national supervisory authority can still fine organizations up to either 2% or €10 million.
Thus, the necessity to take proactive measures to implement effective data protection control systems is crucial in order to eliminate the risks of breaching any of the data protection obligations. Otherwise, shipping organizations will have to face huge fines and private or even class actions from data subjects than can lead to reputational damage and potentially even sink the business.
Shipping companies and organizations should take the following 5 steps to compliance:
- Conduct a data audit to determine what personal data you are storing and processing, for what purposes and for how long. A data audit enables organizations to consider how they meet key GDPR requirements and in each case of processing whether they are the data controllers or data processors or both. A data audit shows the flow of personal data within and outside of an organization or business. For shipping organizations, a data flow is essential because it will eventually show to which other agents and organizations globally the personal data are shared. If you know the flow of personal data you can have control over its use, process and transfer according to the requirements of the GDPR.
- Draft or amend policies and procedures and provide training for your employees. You need a data protection policy and training for both management, HR departments, accounting departments and employees, to follow the data policy day in, day out.
- Notify data subjects about the processing of their personal data and obtain consent if needed. If you use, store and process sensitive personal data, such as medical details, you need to obtain the subjects’ consent. Data subjects must know their data rights and have access to their data.
- Draft or amend contracts with data processors or service providers. In day-to-day shipping, companies associate with several third parties. For instance, where the manning agency processes personal data and the shipping company is the data controller, a data processing agreement is needed.
- Appoint a data protection officer. The role of a data protection officer is to inform the organization about its compliance with the GDPR and ensure that the data policy of the organization is in place. They are the first point of contact with the Supervisory Authorities and data subjects.
Shipping organizations regularly make personal data transfers to foreign jurisdictions. A matter of concern is when these transfers are made to countries outside the EU. This kind of transfers must come from or go to a third country that ensures an adequate level of protection. There is a list of third countries that comply with the requested level of protection and includes among others, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. For countries, such as the Philippines, additional safety measures must be met to ensure that the rights of data subjects are protected. Such safety measures can be provided by a legally binding agreement between public authorities or by binding corporate rules or by the incorporation of standard data protection clauses in the form of template transfer clauses adopted by the Commission or adopted by a supervisory authority and then approved by the Commission.
Over the last few decades, the shipping industry has transformed substantially. Safety and environmental regulations were indeed both needed and desirable, but they came with a financial cost. The implementation of the GDPR does not need to be costly and burdensome. Organizations with global data protection policies and agreements in place will eventually stand out from their competitors.