What does GDPR mean for shipping?
GDPR isn't just about newsletters - the regulation has real implications for maritime stakeholders, as Tim Springett explains
The European General Data Protection Regulation (GDPR) entered into force on 25 May this year. While many of its provisions already applied under existing national and European data protection laws, the advent of the GDPR raised the profile of the issue and concentrated the minds of those in organisations that are now faced with the possibility of huge fines for any failure to protect adequately the personal data of their customers and employees and, most importantly, to report when a breach has occurred.
Under GDPR, companies are obligated to do three basic things: to ensure that data is held only for specific reasons and purposes; to ensure data subjects’ consent is not only freely given but as easy to withdraw as to provide, and to ensure systems for the storage and processing of data are secure.
This has led to the emergence of a whole industry of instant experts in data protection, who flooded many people’s inboxes with apocalyptic warnings of impending catastrophe and quick-fix solutions of high cost and limited results. Quite how they compiled their distribution lists without breaching pre-existing data protection laws is not entirely clear.
One of the key issues for those in the shipping industry concerned cross-border transfers of personal data, particularly between EEA and non-EEA states. To what extent would GDPR apply to seafarers recruited from non-EEA countries? Would it be lawful for personal data to be passed to organisations in countries outside the EEA? These would include crewing and manning agencies, but also Port State Control and other statutory authorities and overseas ports.
The Chamber sought answers to these important questions from legal experts at law firm Hill Dickinson, who led a workshop for members at the UK Chamber last September. Following on from this, the Chamber prepared a publication, ‘The GDPR: Guidance to Shipping Companies’, which was published by Witherby Publishing in June this year.
Following requests from members, the Chamber will host a follow-up workshop entitled 'The GDPR – Implementation and Next Steps' on the afternoon of Thursday 18 October. The key purposes of the workshop will be to introduce the guidelines and hear members’ experiences of bringing their data protection procedures into line with GDPR.
Hill Dickinson’s Javed Ali will take centre stage and will provide answers to some of the most important questions that members have raised concerning the GDPR. These include how transfers of personal data between data controllers and processors inside and outside the EEA should be conducted in order to be GDPR-compliant; the use of data protection clauses in contracts and charterparties, and the link between shipboard and shore-based data protection policies.
Mr Ali will also report on Hill Dickinson’s own experiences of the application of GDPR, the role that the Information Commissioner’s Office has played since 25th May and details of prosecutions for breaches of GDPR that have been brought.
Following Mr Ali’s presentation, members will have the opportunity to put their own questions to him and raise any further matters that might have come to light since the regulation’s entry into force. Suggestions for further actions by the UK Chamber will also be welcomed.
- For more information about the 'The GDPR – Implementation and Next Steps' event and to register, click here. As usual, the event is free to attend for members of the UK Chamber; a fee applies for non-members.