Have you ever thought about of the cyber risks arising regarding the personal data of the seafarers? Shipping companies are responsible for the data of seafarers they have employed and are equally responsible for the protection of the data. In this article, we explain the importance of GDPR data protection.
Cyber security has been a long-discussed issue within the shipping industry, while the last few years remains a hot topic causing great disruption to the companies and their personnel. As already stated, there are several steps to be taken by a company to protect its technologies.
Yet, it seems that the industry is focused on the one part of the cyber security, which is to train the personnel, inform them of the cyber risks and then require the shipping companies to have a cyber security plan.
Equally important to the above is the protection of the personal data of the seafarers employed to the companies. Here comes the major role GDPR has.
Rewind: The role of GDPR
In May 2018 the European Union brought into force the General Data Protection Regulation (GDPR).
By May 25, 2018 all organizations in the EU, as well as those that deal with data related to EU residents, were obliged to comply with the new data privacy law included in the EU GDPR.
According to the Steamship Mutual, the GDPR is concerned with the handling of personal data – any data that identifies an individual or relates to an identifiable individual. Its purpose is to give data subjects greater rights with respect to their personal data and requires those handling personal data to be able to justify using and keeping them, and to have in place appropriate security to protect the personal data they hold.
The GDPR applies not only to European individuals and entities (wherever in the world they process data) but also to the processing of personal data:
– of data subjects who are in the EU by an entity or individual based outside the EU, where the processing activities relate to:
- the offering of goods or services to data subjects in the EU; or
- monitoring their behaviour as far as their behaviour takes place within the EU;
-by an entity or individual not based in the EU, but in a place where Member State law applies by virtue of public international law.
Keep in mind that are significant penalties for breaching the GDPR. For the most serious breaches, companies could face fines of up to (the greater of) 20 million Euros or 4% of worldwide group turnover. As well as this, the reputational damage to companies that suffer data leaks can be very substantial.
Cyber security and GDPR in shipping
The protection of the personal data is a step not to be forgotten. Companies must ensure they have the cyber security measures needed to safeguard the data in their own systems and make sure that the data is sent and received in a secure way.
Steamship’s John HamlynLegal Services Executive and Vijay RaoLoss Prevention Executive highlight that…
Although the GDPR is only concerned with personal data, the imposition of appropriate security measures will ensure that operational and commercially sensitive data is also more secure. These measures may include using appropriate security software, passwords and other user authentication measures, the anonymising of data, and the use of secure or encrypted email servers when transferring emails and attachments containing personal data.
When it comes to the crew and crew change operations, one of the terms used within the industry is the Personal Identifiable Information (PII). PII is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Concerning PII, speaking at the CrewConnect Global Virtual Event, Cameron Amigo (Global IT and Data Management Lead at SPI Marine, explained that the industry should be aware of cybersecurity threats as a part of this. Having the personal information in your company’s files although helpful, comes with great risk if a potential attack occurs, He adds that in the event of a cyber-attack, every company must have a specific plan implemented to make it difficult for attackers to attack.
Concluding, having a plan and being ahead of the attackers is recommended. Companies have to be aware of the possible risks and their impact on the operations.
A cyber-attack can be caused by: