TT Talk - Be alert! EU General Data Protection Regulation

The EU General Data Protection Regulation 2016/679 comes into force on 25 May 2018. It effectively impacts globally - get ready.

Regulation (EU 1) 2016/679, containing the General Data Protection Regulation (GDPR) will shortly be in force and will have direct effect in the EU/EEA 2. It is some 88 pages long, may be found here:

The broad intention of the regulation is to strengthen and harmonise EU/EEA procedures concerning the collection, storage, processing, access, use, transfer and erasure of personal data. The aim of GDPR is to protect natural persons in relation to the processing of data. It is important to recognise that the regulation effectively applies globally; firstly to those entities within the EU/EEA which may hold such data and secondly outside the EU/EEA to those which may offer goods or services to natural persons within the EU/EEA, or send personal data to organisations or other recipients within the EU/EEA.

Inevitably, since TT Club operates within the EU/EEA, GDPR will immediately apply to the Club. The impact of the regulation for TT Club will most often be felt in claims relating to bodily injuries, as well as policies provided to individuals (such as cargo all risks).

Broad application

Importantly, the regulation will apply to entities and third-party service providers wherever personal data is held or handled. It is particularly critical to note that it applies extensively outside the EU/EEA and therefore all businesses need to consider the requirements of the regulation, assess their exposure and put in place appropriate procedures and controls in order to comply. The nature of the global supply chain is such that GDPR is particularly intrusive.

"GDPR will apply to entities and third-party service providers wherever personal data is held or handled"

The level of fines under the new regime is substantially higher than under existing legislation. The amount of a fine will depend on a number of factors in each individual case, but can be up to €20 million or up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher. This alone should focus corporate minds.

The central tenet of the regulation is the control of any information relating to an identified or identifiable living natural person or individual ("Data Subject"). This is someone who can be "identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

It can readily be seen that most business entities will collect, process and retain data that may fall within the scope of this regulation. Consequently, careful attention will be required to set up structures and procedures in compliance with the regulation.

General considerations

While TT Club is specifically not here providing legal advice and would urge companies to seek independent advice from a lawyer or their local Data Protection Authorities, there are some general recommendations that may be given. For example, all supply chain stakeholders consider including suitable GDPR wording on their websites, in contracts, employment contracts, collective bargaining agreements, and the like to allow the processing of sensitive personal data on a permitted basis.

Furthermore, affected entities should undertake a review, potentially with a focus on the following areas:

  • Updating or adoption and implementation of a Data Protection Policy;
  • Where handling data on a large scale consider the appointment of a Data Protection Officer;
  • Establish routines to ensure that data subjects receive appropriate information about processing of personal data and their rights;
  • Unless there is another legal basis upon which to continue to store it, personal data which is no longer necessary should be deleted; and
  • Security should be enhanced for communications with third parties relating to sensitive personal data as defined (e.g. health and medical data).

Some more extensive general information on GDPR is available on TT Club's website.

Broader context

While GDPR does not directly address it, cyber protection is intrinsically at the core of data protection. As a result, it may be prudent to see this legislation as indicative of a broader trend in the development of regulatory expectations globally in relation to cyber security. Within the European Union another such example would be the Directive on Security of Network and Information Systems (NIS Directive), which will impact many operators (particularly ports and terminals) within Europe.

"see this legislation as indicative of a broader trend in the development of regulatory expectations globally in relation to cyber security"

For a broader analysis of cyber exposures in the maritime supply chain, TT Club would commend its paper entitled 'Risk Focus: Cyber - Considering Threats in the Maritime Supply Chain', jointly published with UK P&I Club (also managed by Thomas Miller) and cyber security consultants NYA. This is available as a free download here.

Such diverse initiatives - some overtly addressing cyber vulnerabilities, other not - highlight that cyber security is ever more pertinent throughout the global supply chain community.

1 European Union

2 European Economic Area

We hope that you have found the above interesting. If you would like further information, or have any comments, please email us, or take this opportunity to forward to any colleagues who you may feel would be interested.

We look forward to hearing from you.

Peregrine Storrs-Fox

Risk Management Director, TT Club

Staff Author

TT Club

Date02/05/2018