Is the shipping industry prepared for GDPR

News / / Is the shipping industry prepared for GDPR

To read the PDFnbspversion of this factsheet, please click hereWhat personal data do you hold, where and whygtnbspnbspRun audits and risk assessments on collected personal datanbspConsider what data you have, why, who sees it, who needs to see it, how long it needs to be kept, and whether it is shared, particularly if sent outside the EEA and ensure that all this information is documentedgtnbspnbspUpdate outdated personal data or delete it if it is no longer needed gtnbspnbspConsider what employee and passenger data you hold and whether some of that data contains sensitive personal data (for example, medical information) which has an additional layer of protection (the individual's consent is required for processing, save in life or death situations)What is your lawful reason for processing personal data and how do you record thatgtnbspnbspIf you currently rely on consent for processing personal data, ensure this is documented properlygtnbspnbspCheck whether there are other grounds that you can rely on instead eg is the processing necessary for the performance of a contract with the individual or for a legitimate business reason (both of which might apply to passenger or employee information) and record the reason relied ongtnbspnbspCheck that each individual on any marketing databases has consented to receive electronic marketing, or that they were given the opportunity to opt out from such marketing when their contact details were first collectedIs your Privacy Notice GDPR readygtnbsp Add a privacy policy to your website and emails (or update it if you already have one) to make clear how you use personal data collected (for example, through online bookings)gtnbspnbspConsider just in time notices (such as a text box which appears on the screen when the individual starts to input personal data) to say how that information will be usedgtnbspnbspIf you collect information on individuals from third parties (such as travel agents), ensure that the individuals are aware that you are processing their data and consider amending contracts with the third parties to ensure that this is done Who do you share personal data with, why and what controls do you have in place to protect that datagtnbspnbspConsider which of your service providers and counterparties (such as travel agencies, local agents, crewingmanning agents) are acting as data processors and which are acting as controllers or joint controllers gtnbspnbspMake sure that your contracts with other parties who might be data controllers or processors are clear about their responsibilities under the GDPR How do you deal with and report data protection breachesgtnbsp Ensure that systems are in place to notify a personal data breach to the relevant supervisory authority within 72 hours after becoming aware of a personal data security breach and to notify the data subject without undue delay in prescribed circumstancesgtnbspnbspCreate and maintain a register of data breaches, including details of how the breach occurred and what steps were taken to resolve itgtnbspnbspConsider taking out cyber and data risks insurance as an extra layer of protectionDo you need a Data Protection OfficergtnbspnbspDesignate someone to take responsibility for data protection compliancegtnbspnbspAssess whether you are required to appoint a Data Protection Officer, or whether you wish to appoint one voluntarily (this may be advisable for high profile cruise companies that hold a lot of passenger data) and make arrangements accordingly Do you transfer personal data internationally (including online or via cloud services)Within the EEA gtnbspnbspAppoint a Lead Supervisory Authority (LSA)gtnbspnbspCheck for any country-specific guidance published by the LSA or any secondary legislation enacted in that jurisdiction and seek assistance from the LSA on any areas of ambiguityOutside the EEA gtnbspnbspConsider whether any exemptions for transfers of personal data outside the EEA applygtnbspnbspIf not, assess whether the requirements for transfer are metgtnbspnbspIn the case of multinational companies, consider adopting Binding Corporate RulesWhat processes do you have in place to deal with improved rights for individualsgtnbspnbspPut processes in place to deal with requests from individuals (often crew), making data subject access requests within the shorter period permitted for response (one month maximum)gtnbspnbspEnsure that those dealing with personal data know how to deal with the new rights, including how to delete data if requested and how to provide data electronically

Related sectors:

Related services:

Related news & insights

Insights / Shipping E-Brief September 2021

15-09-2021 / Maritime

The Shipping E-Brief is a publication providing you with key information on legal decisions and developments in shipping and related business areas.

Shipping E-Brief September 2021

Insights / Resolution to safeguard seafarers in the UAE

13-09-2021 / Maritime

The UAE is a shipping hub and, as a result, it is a jurisdiction that has experienced its fair share of abandoned vessels and crew. There have been a number of positive developments in addressing such issues.

Resolution to safeguard seafarers in the UAE

Insights / Be careful what you agree: A cautionary tale

07-09-2021 / Maritime

Falcon Trident Shipping Ltd v. Levant Shipping Ltd [2021] EWHC 2204 (Comm)

Be careful what you agree: A cautionary tale

Insights / AfCFTA and the maritime industry

07-09-2021 / Maritime

This article is the second in a series of articles looking at the impact of the  African Continental Free Trade Area (the “AfCFTA”) on various practice areas and industry sectors that our clients operate in.

AfCFTA and the maritime industry

Insights / Save now, pay later: Court endorses wait and see approach to potential costs savings

01-09-2021 / Maritime

Space Shipping Ltd (CV Stealth) v. ST Shipping & Transport Pte Ltd (CV Stealth) [2021] EWHC 2288 (Comm)

Save now, pay later: Court endorses wait and see approach to potential costs savings