The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA.


The regulation contains provisions and requirements about the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that the system must be designed to adhere to principles of data protection.

In light of this, the Swedish Club offers 10 "best practice" tips for the treatment of personal data:

  1. Respect: Treat everyone’s personal data with the same respect you would wish for your own.
  2. Minimise the generation of personal data by email and on paper: The less personal data being created and circulated, the easier it is to protect. Only send information which is necessary for the handling of the claim.
  3. Cybersecurity: Ensure computer systems are secure and try to make use of security measures such as password protection and secure email servers when transferring attachments containing passports, medical reports, contracts of employment etc.
  4. Anonymisation: Use identifiers for individuals, like crewmember, broker, surveyor etc. instead of names and dates of birth. Other identifiers could be the vessel name, the nature of the incident, or the port of disembarkation, with a reference number. This applies not just to the subject heading and body of an e-mail but also to any documents which support the claim. If there is no alternative to using a name, the Club recommends that it is cited with as few other identifiers as possible.
  5. Start afresh: If you cannot avoid identifying an individual, do so once and then start a new email so that the same personal data is not repeated in the email chain.
  6. Reply all? Check that it is appropriate that everyone in the circulation list should actually receive the e-mail you are about to send.
  7. Use Official email addresses: Do not use unofficial, private, or any other non-secure email accounts.
  8. Clear and lock: Keep your desk clear and your computer screen locked when you are away from your desk. Dispose of hard copy data in a secure way.
  9. Familiarise yourself with GDPR, including how it applies to your business and the penalties for non-compliance.
  10. Communicate these guidelines to everyone in your organisation.