The EU General Data Protection Regulation (GDPR) has come into full effect since May 25th 2018.
The Regulation is vast, but basically companies, under GDPR, are required to (a) ensure that they know exactly what personal data they process (b) make sure that there is an appropriate legal basis for each of their processing activities and (c) take appropriate technical and organizational measures so that personal data is kept safe.
The GDPR applies across industries and is of particular interest to shipping. While awareness levels have been raised substantially among organizations operating in the shipping industry, the actual implementation of the Regulation is proving to be rather challenging.
What are the main GDPR issues in shipping?
When implementing GDPR in shipping, there are many battles to fight. To name a few:
• Data audits and establishing an appropriate legal basis: Personal data such as personal identification documents, bank details, travel documents, training records, performance evaluations but also data considered to be ‘sensitive’ such as medical records, are processed by shipping companies. It is essential that a data audit is conducted and that careful consideration is given to the legal basis that justifies each processing activity, for each category of personal data.
• Retention and destruction of data: Crew data processing is done daily, even by small shipping companies. Most shipping companies keep records of their crew members between embarkations and for some time after the last disembarkation. Deciding upon retention periods, for each category and implementing a policy for the safe destruction of this data is not easy.
• Data transfers and IT security: In the normal course of shipping business, shipping companies receive personal data from many sources such as the individuals themselves, manning agents, port agents and other third parties. They also transfer personal data to many recipients, such as manning agents, P&I clubs, travel agents, port agents, port Authorities and inspectors. Ensuring the lawfulness of such transfers as well as maintaining a secure transmission channel, have proven to be very challenging.
• International reach and data privacy legislations: Shipping companies regularly make data transfers to a large number of jurisdictions, with particular interest in those made to countries outside the EU, and in specific, those made to jurisdictions, where certain conditions must be met in order for the transfer to be allowable. Considering and – most importantly – documenting this due diligence process and the safeguards it requires, is a tricky and time consuming process.
• Review of contracts with service providers: Shipping companies collaborate with a number of third parties in the normal course of shipping business. Those parties could be data processors or joint controllers with the shipping companies, for the purposes of GDPR. Ensuring that these parties are carefully considered, along with the nature of the services provided and the data processing activities involved, so as to be appropriately classified, is crucial and directly linked to the level of compliance responsibilities assumed by the shipping companies. Then, it is a matter of ensuring that contracts and agreements with these parties appropriately reflect each party’s responsibilities.
What are the challenges that shipping companies face when implementing GDPR?
Shipping companies have been faced with significant regulatory changes, particularly in the past decade, with vast safety, environmental and other regulations being enacted. Most players – especially in private shipping - seem to have developed a reactive strategy towards compliance, in general. While this was an effective strategy up to now, the level of regulation in the industry has increased so rapidly, that companies are beginning to realize the necessity of an overall compliance risk assessment and strategy, one that could help streamline processes across requirements, avoid overlaps and direct resources to the riskier areas.
Tackling the IT aspects of GDPR
GDPR is not an IT project. However, data security and IT security, in general, are highly topical as companies usually operate in a fragmented IT environment. The question of repair or re-design is often on the table. Leaving GDPR aside for a moment, to maintain robust data security, companies must implement IT controls in areas such as encryption, data anonymization or pseudonymization, data integrity and access management, in general. Safeguarding the integrity of the communications between the vessels and the office on shore also presents difficulties.
Being an area of significant spending, it is often the case that GDPR-related IT projects may be particularly scrutinized by top management, prior to approval. This is not merely due to budgetary constraints, but due to the fact that spending on risk management projects, does not translate to an expected growth in revenue and shipping companies’ appetite on compliance risk varies significantly. Having said that, according to research by the Ponemon Institute, the global average cost of a data breach has risen to $3.92 million, up from $3.50 million in 2014.
Tackling the legal aspects of GDPR
GDPR is not a Legal project either. However, there are many legal aspects to consider. One area of particular interest is the legal justification of data processing (including health data processing) and transfers, particularly when shipping practices require such transfers be made to jurisdictions with weak privacy regimes, to port agents, for example.
Then, of course, it is the large number of data processors and joint controllers that are involved in day-to-day shipping, such as manning agents, travel agents and other third parties, or affiliated entities, where it is crucial to conduct a full review of the contracts in place to establish that relevant GDPR terms exist that map to the nature of the services that relate to personal data processing. This requires legal expertise as well as a deep understanding of shipping practices, beyond agreements.
Documenting compliance
One less obvious challenge in the shipping companies’ journey to GDPR compliance is documentation. Being in compliance with GDPR means also being able to prove it and this is a challenge by itself, especially for more traditional shipping companies that operate lean business models and have limited human resources. While such companies often present a profoundly robust internal controls’ environment, they would face a challenge proving this, merely due to the lack of documentation.
The two most important elements: Mindset and People
Tackling GDPR – an ever increasing regulation in general - requires a mindset of ownership when it comes to compliance and a necessity to see it proactively, not reactively, through the lenses of corporate governance and through maintaining an effective control environment that runs top-down, through the operations onshore all the way to the vessels.
Owner and top management commitment is therefore crucial in this case. Shipping companies that have implemented a top-down approach in GDPR, have engaged the right people from the outset of the project, have utilized current structures and controls more effectively and are in a better position to tackle the requirements of the regulation, with less disruption.
* Pinelopi is Governance Risk and Compliance Partner at Moore Greece. She has over 15 years of audit, consulting and regulatory advisory experience in Greece and in the UK. Having worked primarily with large corporations she has considerable experience in internal control design and operational effectiveness monitoring. She has since then also worked closely with smaller entities, helping introduce the main concepts of governance with the aim to enhance control over operations and achieve efficiencies. Pinelopi is a UK trained Chartered Accountant, Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW).