Those that attended our October Propel training session, in conjunction with Cornwall Marine Network, will know that there is a big change on the horizon for how businesses handle data.
In May 2016 a new law with wide-ranging implications for all businesses was passed at European level. The new General Data Protection Regulation 2016 (GDPR) comes into force on 25 May 2018 and represents an explosion in the landscape of the rules around protecting personal data. For many operators in the marine industry this new law will necessitate huge changes to the way their internal process are run.
Data risks in the marine sector are most likely to be around unauthorised access to sensitive information held by the business, customer data being used illegally, or failures to deal correctly when a person makes a data subject access request or asks that you delete or amend their data. For the harbour authorities there is also the Code of Practice on Cyber Security for Ports and Port Systems (2016) to contend with.
Mandatory breach notification
The GDPR implements a new mandatory data breach notification requirement. Where an organisation suffers a security breach leading to destruction, loss, alteration, unauthorised disclosure or access to personal data, they must report that breach to the supervisory authority. This supervisory authority is likely to be a central European body which may issue that organisation with a fine for the security breach.
Particularly difficult for businesses will be the additional rule that security breaches need to be notified to the Information Commissioners Office within 72 hours of the organisation becoming aware of the breach. This means that businesses will need to have robust and reliable systems for identifying and reporting security breaches, particularly where those breaches are caused by human error. You will also need to train your staff to identify these breaches and tell you.
Higher fines
The fines across EU member states are set to increase dramatically with a tiered approach to penalties for breach of the rules. The current maximum fine in the UK is £500,000. Under the GDPR the European supervisory authority will be able to issue fines of up to the higher of €20 million or 4% of worldwide turnover for the worst offences, including breach of requirements on international transfers or getting the conditions for processing wrong.
A lower set of fines of up to the higher of €10 million or 2% of worldwide turnover are applicable to issues such as failure to report a breach within the time limit. In these cases it should be noted that organisations can be fined both for a security breach and the failure to report the breach.
Greater accountability
Perhaps the greatest change in the law, and the hardest for companies to comply with, is the greater accountability requirements. The GDPR requires companies to not only comply with the requirements but to be able to demonstrate with comprehensive documentation and evidence its compliance with the rules. For organisations with more than 250 employees, detailed internal written records of processing activities must be kept, including the purpose of the processing, the security measures used and the extra safeguards put in place for dealing with sensitive personal data (including information on people’s health, religion, race and sexual orientation).
Tips for preparing now
Companies in the marine sector can take the following steps now to help prepare for the upcoming GDPR:
- Prepare for data security breaches
Put into place clear policies and procedures to enable you to react quickly to any security breach and comply with the mandatory notification period. Make sure your IT systems are robust enough to withstand hacking to the extent you are able.
- Create a system for recording accountability
You will need to prove that you have comprehensive records of all aspects of data protection compliance, including collection, storage, use and sharing of personal data of employees, suppliers and customers.
- Conduct a data audit
Review all your data processing activities and what data you hold in the company. Make sure you are clear on the basis on which you are processing data and that you are prepared to design all your projects with data protection at the heart.