New European regulations covering the processing and collection of personal data come into force in May next year and shipmanagement companies based in Europe and outside could face fines of up to €20 million or 4% of annual global turnover, whichever is the higher, in the event of a serious breach of the regulation.
A serious warning to the industry, which is why InterManager has earmarked the General Data Protection Regulation (GDPR) as an important initiative that its members need to be aware of.
It will focus on the issue at the forthcoming International Shipowning and Shipmanagement Summit (ISSS) to be held in London on Monday 11th September, as part of London International Shipping Week 2017.
Ian MacLean, Master Mariner and Partner at Hill Dickinson LLP, will address delegates at length about what the regulations mean for ship managers and what are the pitfalls the industry needs to be aware of.
Capt Kuba Szymanski (pictured), Secretary-General of InterManager, urged ship managers to start taking steps to ensure they are compliant with their obligations under the regulations and said the ISSS conference debate was a good place to start.
“It is all about accountability when it comes to processing and sharing the personal data of individuals but this needs to be conducted securely. The magnitude of the fines highlights the seriousness facing the industry.”
According to Hill Dickinson, the GDPR increases the rights of individuals, strengthens the obligations of companies and increases sanctions for non-compliance. The most significant addition is the accountability principle.
Maria Pittordis, Partner and Head of Marine, Trade and Energy at Hill Dickinson, said: “The GDPR requires you to show how you comply with the principles by documenting the decisions you take about a processing activity. As well as an obligation to provide comprehensive, clear and transparent privacy policies.
“Where an organisation has more than 250 employees, it must maintain additional internal records of its processing activities. If an organisation has less than 250 employees it is required to maintain records of activities related to higher risk processing, such as: processing personal data, that could result in a risk to the rights and freedoms of an individual; or processing of special categories of data or criminal convictions and offences,” she said.
Hill Dickinson also pointed out that it is important to ensure that an audit is carried out now to ensure that the right policies and procedures are in place. These should be done by the company and not external consultants. GDPR compliance is a board level issue and not the responsibility of the IT department. GDPR is not just about IT security. It should not be assumed that compliance of the present Data Protection legislation will comply with GDPR.
Source: Hellenic Shipping News.