The General Data Protection Regulation (the Regulation or GDPR) comes into effect on 25 May 2018. The Regulation is arguably the most seismic change in European Union (EU) data protection law in over 20 years and will present major challenges for businesses operating within the shipping sector. The GDPR introduces a raft of new or enhanced obligations for organisations to grapple with, whether they are a “controller” or a “processor” of personal data. Under the new regime, maximum fines for non-compliance will be 4% of annual worldwide turnover or €20 million, whichever is higher. Combined with the risk of reputational damage, the consequences of failing to comply could be severe.
With just six months to go before the Regulation is in effect, advance preparation is key. In this briefing, we highlight six key areas that shipping companies, their insurers, and service providers should be aware of, along with recommended practical steps to aid compliance.
Does this apply to me?
The GDPR applies to all organisations that are “established” within the European Economic Area (EEA). Organisations that operate through an EEA affiliate or branch office and process personal data in the context of their operations will be deemed “established,” as will any organisation that operates “through stable arrangements” such as by appointing a local agent or representative to act on its behalf.
The GDPR will, however, also apply to organisations that are not established in the EEA, where they:
- offer goods and services to individuals within the EEA (whether or not for payment) or
- are subject to EEA laws by virtue of international law, for example where a ship is flagged with an EEA Member State registry.
If any of the above criteria apply, you will be caught by the GDPR regardless of where in the world the processing takes place.