Leading marine insurer North P&I Club has highlighted the steps to be taken by the shipping industry to meet its obligations under the upcoming EU General Data Protection Regulation (GDPR), which enters into force in May 2018.
Against a backdrop of increasing digitalisation and technological developments, the GDPR will update and enhance current data protection legislation by requiring businesses who deal with EU citizens to be transparent about how they use their data. The costs of non-compliance are potentially very high, as the new legislation will give regulators the ability to fine businesses who do not comply with the GDPR requirements up to 4% of their worldwide turnover.
North hosted a seminar and panel discussion on the GDPR at the Yacht Club of Greece in Piraeus to provide the shipping community with guidance on best practice and how to prepare for this important legislation.
Explaining North’s approach to GDPR compliance, including the steps taken and the resources committed by North to meet its GDPR obligations, Adrian Durkin, Director (Claims) at North P&I Club, said: “The GDPR is an extensive piece of legislation and we believe GDPR preparedness should be regarded as a project, rather than a discrete piece of work. A designated person, people or function should have oversight of and accountability for GDPR readiness. However, engagement with all business units is essential, as it is likely that almost all business functions will have some access to personal data and undertake some processing of it.”
“A key first step in preparing for the GDPR is a data audit to determine what personal data is held within each business area, where data is received from and where it is sent to. In other words, which third parties or organisations. That facilitates an assessment of how the use of that data is considered to be lawful under the GDPR.”
“The outcome of the audit enables organisations to consider how they will meet the key GDPR requirement of informing individuals about how their data is being used to achieve the transparency envisaged by the GDPR. This will also enable individuals to make an informed choice about whether they are happy with how information about them is being used by organisations.”
“It is important to be aware that the GDPR also applies when you receive personal data indirectly through another company or individual, so you need to make sure that you understand and document the arrangements with other organisations so you are both clear about your data protection obligations.”
Representatives from legal and professional services firms Hill Dickinson, Mazars and PPT Legal shared their expertise at the webinar on a range of related GDPR issues, including the challenges and opportunities of the GDPR, the enforceability of GDPR and the risks of non-compliance.
The seminar also looked at GDPR from a P&I perspective. In North’s view, GDPR liabilities are not excluded from P&I cover, but the circumstances when a fine for a GDPR breach might form the basis of a P&I claim are likely to be limited. Further, cover for such a fine would be discretionary and would require the Member to establish that the all reasonable steps to avoid the breach had been taken.