The so-called “cyber hurricane” events, where hackers disrupt large numbers of companies through common internet infrastructure dependencies, are increasing. On the one hand, technological innovation provides new ways to mitigate risk, but on the other it creates new perils. Autonomous machines, Artificial intelligence (AI), digitalized supply chains, and better utilization of data and analytics are expected to offer a wide range of opportunities and enable greater productivity and more tailored customer offerings, while automation is considered as safety enhancement measure to minimize human error. However, recent studies suggest vulnerability of connected systems to system failure or hacking and other malicious cyber acts, such as extortion and espionage, will increase further in future.
In an effort to eliminate such risks and set the principal for transparent use of personal data, the EU adopted in 2016 the General Data Protection Regulation (GDPR) which from the 25th of May 2018 onwards will be directly applicable to all EU Member States. The regulation requires all organizations providing services or handling data related to EU citizens, to comply with it, even if the organizations are not located in EU. The way in which a business manages a data breach has a direct impact on the final cost. This will become even more the case under the GDPR. Reputational damage is irrevocably linked if the response to a cyber incident is inadequate. Therefore, shipping companies need to be aware of the new rules as well, and establish procedures to ensure proper compliance.
The following infographic clarifies which companies are subject to the new regulation:
The GDPR makes personal data protection a top priority for any organisation. On the whole, all companies must take measures to enhance data security and mitigate or eliminate any related risk and be able to demonstrate that personal data is used in accordance with the Regulation. As a result, each company will need to nominate an officer, responsible for the compliance.
EU GDPR requirements
Under the new rules, companies that don't comply with the requirements are subject to significant fines. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of global annual turnover of the controller, whichever is higher.
Indicatively, the following could result in violation of the GDPR regulation:
- the absence of adequate security measures
- not discharging Data Controller’s obligations
- violating or not allowing the exercise of rights vested with data subjects
- not fulfilling the requirements for transferring data outside the EU
- not abiding by the principles and rules for lawful processing of personal data
As only few months have left, companies which have not a GDPR program already in place, need to start today preparing for the regulation. Adrian Durkin, Director (Claims) at North P&I Club, highlighted that a data audit is required as a key first step. The data audit will determine what personal data is held within each business area, where data is received from and where it is sent to, which third parties or organisations. That facilitates an assessment of how the use of that data is considered to be lawful under the GDPR.
‘’ Companies which have not a GDPR program already in place, need to start today preparing for the regulation’’
EU GDPR checklist
The concept of accountability is at the heart of the GDPR rules. This checklist includes key items that can help organisations demonstrate compliance with the GDPR’s requirements.
|Do you have visibility of and control over what personal data you collect?|
|Have you reviewed or put in place internal data protection policies covering employees, customers, other third party data?|
|Do you have a privacy-by-design program, with Privacy Impact Assessments (PIAs), documentation and escalation paths?|
|Do you have a tested breach-response plan that meets GDPR’s 72-hour notification requirement?|
|Have you defined a roadmap for GDPR compliance?|
|Have you appointed a Data Protection Officer (DPO)?|
|Have you adopted a cross-border data transfer strategy?|
|Have you implemented a training programme within your organization about the requirements under the GDPR and the possible impact of non-compliance?|
EU GDPR – 5 steps to take now
PwC Consulting suggests a 5-step approach for preparation:
- Conduct a readiness assessment: Gather information to assess your organization’s current GDPR compliance maturity, and to help understand your critical legacy risks.
- Find remediation gaps: Identify existing privacy capabilities and the work that needs to be done to bring your organization into GDPR compliance.
- Establish oversight: Put your organization’s ongoing GDPR governance structure and model into place to coordinate and implement your remediation activities.
- Implement your program: Get your GDPR program off the ground: remediating gaps and establishing a privacy program.
- Conduct operation and monitoring: Once GDPR is in effect and your program is in place, conduct ongoing compliance to drive continued accountability.
EU GDPR & Shipping
In order to comply with the General Data Protection Regulation, shipping operators should
- Ensure that consent on handling personal data is obtained, and that it can be proven.
- Conduct a Data Protection Impact Assessment (DPIA) to identify the most effective way to comply with data protection obligations and individuals’ expectations.
- Identify and notify their supervising Data Protection Authority
- Maintain records of processing activities.
- Appoint a Data Protection Officer (DPO), who will supervise compliance and data protection strategies.
- Prepare to report data breaches within 72 hour
Cyber security and the EU GDPR framework
Cyber threats have become part of maritime daily business, especially nowadays that more and more operations are becoming digitalized; Internal – External Communications, All kind of Cargo Operations, Navigation, Ballasting operations, Contracts and chartering etc.
While many may argue that none of the above types of operation include personal data - and that is partly true - in fact, data of seafarers or office personnel, such as names, nationalities, point of contacts etc, are actually included in many documents as per request in day to day activities. Therefore, a proactive approach is needed in order to protect from breaches all data featured in files.
EU Regulation sets the duty on companies to assess and decide what type of measures they shall put in place instead of just following the applicable legal requirements. This new approach would lead to a scenario in which the security measures implemented by an organization would only be checked by the authorities in case a data breach arises. Considering this, organisations should implement measures and be able to evidence that those were enough to avoid, as much as possible, any potential data breach.
The legislation guidance framework has already been set for the industry through various initiatives by key associations (IMO, BIMCO, P&I Clubs, Classification Societies, PSC Organizations, Flag Administrations etc). Any organization subject to EU GDPR requirements should consider cyber security measures being part of its procedures as it covers the most vulnerable segment of activities.
Given that ‘Assessment’ is the base for all compliance requirements, GDPR’s privacy impact assessment is a valuable tool for cyber protection. The results of the assessment may lead the way for cyber security steps in order to fortify organisation’s systems and procedure from cyber threats.
One the side, cyber security refers to technology; on the other side, human factor remains fundamental. Considering that a distracted employee who by simply leaving an unlocked computer or adhering to phishing mail, might cause a cyber incident and a substantial data breach from a GDPR’s perspective, there is need for GDPR accountability to further address the human factor. Under the GDPR, companies will have to ensure their employees are adequately trained. Consequently, this will lead to an increased demand of Cyber security training / awareness in all levels of organizational structure.
Concluding, the implementation of the GDPR comes with many challenges for all organizations as they will need to adopt new business practices, internal policies, technical and organizational measures. Extensive training in data protection and privacy legislation is a critical factor for the success of GDPR.
Finally, Cyber security should be considered as a part of overall General Data Protection and plays a key role to preparation and risk mitigation stage. Counter measures and safeguards should be implemented in order to protect organisations and individuals from data breaches and other non-willing incidents which will harm their rights and reputation.
There are currently two recognized standards or frameworks that could be used as part of a privacy compliance framework to demonstrate GDPR compliance:
- a BS 10012:2017 personal information management system (PIMS) and
- an ISO 27001:2013 information security management system (ISMS).
Further tips on how to help keep your data safe; guidelines towards an effective response to cyber incidents based upon training and awareness of appropriate organisation policies and procedures may be found in the 2nd Quarterly Special FOCUS Edition dedicated on Cyber Security!