News / 15-11-2017 / Is the shipping industry prepared for GDPR

To read the PDFnbspversion of this factsheet, please click hereWhat personal data do you hold, where and whygtnbspnbspRun audits and risk assessments on collected personal datanbspConsider what data you have, why, who sees it, who needs to see it, how long it needs to be kept, and whether it is shared, particularly if sent outside the EEA and ensure that all this information is documentedgtnbspnbspUpdate outdated personal data or delete it if it is no longer needed gtnbspnbspConsider what employee and passenger data you hold and whether some of that data contains sensitive personal data (for example, medical information) which has an additional layer of protection (the individual's consent is required for processing, save in life or death situations)What is your lawful reason for processing personal data and how do you record thatgtnbspnbspIf you currently rely on consent for processing personal data, ensure this is documented properlygtnbspnbspCheck whether there are other grounds that you can rely on instead eg is the processing necessary for the performance of a contract with the individual or for a legitimate business reason (both of which might apply to passenger or employee information) and record the reason relied ongtnbspnbspCheck that each individual on any marketing databases has consented to receive electronic marketing, or that they were given the opportunity to opt out from such marketing when their contact details were first collectedIs your Privacy Notice GDPR readygtnbsp Add a privacy policy to your website and emails (or update it if you already have one) to make clear how you use personal data collected (for example, through online bookings)gtnbspnbspConsider just in time notices (such as a text box which appears on the screen when the individual starts to input personal data) to say how that information will be usedgtnbspnbspIf you collect information on individuals from third parties (such as travel agents), ensure that the individuals are aware that you are processing their data and consider amending contracts with the third parties to ensure that this is done Who do you share personal data with, why and what controls do you have in place to protect that datagtnbspnbspConsider which of your service providers and counterparties (such as travel agencies, local agents, crewingmanning agents) are acting as data processors and which are acting as controllers or joint controllers gtnbspnbspMake sure that your contracts with other parties who might be data controllers or processors are clear about their responsibilities under the GDPR How do you deal with and report data protection breachesgtnbsp Ensure that systems are in place to notify a personal data breach to the relevant supervisory authority within 72 hours after becoming aware of a personal data security breach and to notify the data subject without undue delay in prescribed circumstancesgtnbspnbspCreate and maintain a register of data breaches, including details of how the breach occurred and what steps were taken to resolve itgtnbspnbspConsider taking out cyber and data risks insurance as an extra layer of protectionDo you need a Data Protection OfficergtnbspnbspDesignate someone to take responsibility for data protection compliancegtnbspnbspAssess whether you are required to appoint a Data Protection Officer, or whether you wish to appoint one voluntarily (this may be advisable for high profile cruise companies that hold a lot of passenger data) and make arrangements accordingly Do you transfer personal data internationally (including online or via cloud services)Within the EEA gtnbspnbspAppoint a Lead Supervisory Authority (LSA)gtnbspnbspCheck for any country-specific guidance published by the LSA or any secondary legislation enacted in that jurisdiction and seek assistance from the LSA on any areas of ambiguityOutside the EEA gtnbspnbspConsider whether any exemptions for transfers of personal data outside the EEA applygtnbspnbspIf not, assess whether the requirements for transfer are metgtnbspnbspIn the case of multinational companies, consider adopting Binding Corporate RulesWhat processes do you have in place to deal with improved rights for individualsgtnbspnbspPut processes in place to deal with requests from individuals (often crew), making data subject access requests within the shorter period permitted for response (one month maximum)gtnbspnbspEnsure that those dealing with personal data know how to deal with the new rights, including how to delete data if requested and how to provide data electronically