THE GENERAL DATA PROTECTION REGULATION: GUIDANCE TO SHIPPING COMPANIES In memory of Maria Pittordis, a great lawyer whose contribution to the shipping industry was invaluable. iii Introduction 1 Summary of the GDPR 1 Key definitions 2 Key articles 4 Lawfulness 6 Consent 6 The right to erasure 7 Data Subject’s right to information 7 Company Data Protection Officer (DPO) 8 Issues specific to the shipping sector 9 Implementation and familiarisation – How to achieve compliance 11 Action plan for companies 12 Phase 1: Awareness, information audit and risk assessment 12 Phase 2: Make decisions 13 Phase 3: Develop policies, procedures and documents 13 Phase 4: Review security 15 Phase 5: Training and governance 15 Further Contact 15 ANNEX 1 16 General Data Protection Regulation 16 CONTENTS 1 INTRODUCTION The purposes of this guidance document, issued by the UK Chamber of Shipping with Hill Dickinson LLP, are: O to summarise the key points of the General Data Protection Regulation (GDPR); O to identify the main areas where shipping companies will be affected by it; and O to advise companies on the most effective and efficient ways to familiarise themselves with the new rules and then to determine how to best implement them. This document is for guidance only and companies are advised to obtain their own legal advice on compliance with the GDPR. This document focuses specifically on the maritime sector and the key areas for implementation, such as crewing issues and seafarer payments. It seeks to give a simplified explanation of the GDPR and of how companies can identify what further measures, if any, they should take to implement data protection policies that comply with the GDPR. SUMMARY OF THE GDPR The GDPR applies to the processing of personal data held by a business that has an established presence in the European Union, irrespective of where in the world the data is held. It will also apply to non-EU businesses that provide goods and services to, or monitor behaviour of, Data Subjects in the EU. Compliance with the existing UK Data Protection Act 1998 (DPA) will not be sufficient to comply with the requirements under the GDPR. However, if a company has implemented the DPA then it will certainly find adapting its business to the GDPR much easier. GDPR is an evolution and not a revolution. The UK Government plans to implement the GDPR in its new Data Protection Act, which will replace the 1998 Act. Its statement of intent, published on 7 August 2017, made it quite clear that the UK has committed to updating and strengthening its data protection laws. In certain respects the new Data Protection Act may contain more stringent requirements than the GDPR, for example in respect of the appointment of a Data Protection Officer (DPO). The GDPR will apply in the UK both before and after Brexit. UK CHAMBER OF SHIPPING CHAMPIONING AND PROTECTING KEY DEFINITIONS Data Subjects are identifiable living persons who provide their personal data to a business. They include employees, consumers and clients. Personal Data is defined as any information relating to an identified or identifiable living person. The following are considered to be personal data of a person: O name O address O date of birth O IP address O biometric data relating to the individual O medical history including details of any disabilities O pre-employment medical examination information O bank account number O credit card number O National Insurance number O passport number O seaman’s discharge book number O personal details of next of kin O allotment details O union membership O ethnic group/nationality, religious beliefs O criminal records. Appropriate technical and organisational measures must be implemented to ensure an appropriate level of security and to demonstrate that the processing is in accordance with the Regulation. This will require businesses to keep detailed records of their processing activities and, where appropriate, the possible appointment of a Data Protection Officer (DPO). Processing is defined in the Regulation as any operation performed on the personal data which includes the following: O collection O recording 3 O organisation O structuring O storage O adaptation or alteration O retrieval O consultation O use O disclosure by transmission, dissemination or otherwise making available O alignment or combination O restriction O erasure or destruction. This personal data can be received from a variety of sources. It is important that companies are aware of these, in order to monitor the incoming channels of data. These sources can include: O applicants for employment (including speculative applicants) O employees including access via portals O clients O contractors/sub-contractors O port agents O doctors and clinics O manning/crewing agencies O ship managers O governments O insurers O other companies O institutions in third countries. Under the GDPR, if you as a business are receiving data directly from an individual than you will be considered a Data Controller. You may have authorised manning agents acting on your behalf as your agent to recruit crew. These manning agents – if they are only acting on your specific instructions – will be Processors under the GDPR and not Controllers. Data Controllers determine the purposes and means of processing an individual’s personal data. They are required to ensure that their contracts with data Processors comply with the GDPR.