On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force applying to all businesses established in the European Union (EU) and controlling and/or processing personal data. It is expected to have wide application. The main tenant of the GDPR is that it endows individuals with far greater control over how businesses collect, hold, process, update and distribute their personal data. Personal data includes names, email addresses, phone numbers, addresses and various other snippets of information that, when used in isolation or in conjunction with other data, can identify a particular living individual.
“Essentially, the GDPR applies to any business established in any way in the EU and holding personal data” starts William MacLachlan, senior associate at Holman Fenwick Willan (HFW). “Immediately you can see how it applies to just about everyone, it is likely that a non-EU flag owned / non-EU owned yacht would still be deemed established in the EU if operating in the EU and particularly if operating commercially. A Failure to comply with GDPR potentially exposes businesses to an action by the authorities applicable in their jurisdiction of up to €20 million or four per cent of the businesses global revenue, whichever is the higher.”
Businesses who have not already done so need to be taking their compliance with GDPR seriously. The applicable authorities across the EU's member states have made no secret of their intention to enforce the GDPR. Whilst becoming GDPR compliant is a daunting task for any business, there are a number of simple steps that can be taken to reduce the risk of a data breach and demonstrate an intention to comply, thereby reducing the likelihood of an action being brought against your business. Firstly, you need to audit the data you hold, understand what you hold and why you are holding it. If it is out of date, or you don’t need it, the best thing to do is remove it from your system. Chartered superyachts, for instance, may hold a wealth of information on past crew members, previous charterers and a variety of guests and day workers.
“There are probably a number of yachts out there that are navigating the world’s oceans with large amounts of personal data on their systems and no need to hold it,” continues MacLachlan. “There may be health records, passport copies, bank details, names and addresses and all manner of personal data held on either the captain’s personal computer or the yacht’s main computer with no real need to hold on to it. If you don’t need it, delete it.”
However, for many businesses, particularly those in sales such as the brokerage houses, their databases are key to their operation. Having completed its audit and identified the personal data it considers should be retained, a business must ascertain the lawful basis for doing so (there are six lawful reasons to hold personal data under GDPR) and understand how such data is held and secured. Consent from the data subject to the processing of their personal data is not the only means of establishing a lawful basis for processing such personal data but it is one means amongst several which businesses have in recent weeks been adopting when contacting their data subjects.
GDPR is not only an issue for a company’s management team, it is expected that all employees understand at least the basic requirements of the GDPR and how to ensure that a data breach does not occur.
“Research has shown that 80 per cent of all data breaches are down to human error, so if you can train up your staff and make them aware of cyber security and their employer's obligations under GDPR and thereby help them avoid data breaches, you will go a long way to reducing the risk of a data breach, which may otherwise lead to an enforcement action against the business,” explains MacLachlan.
Businesses also need to consider their contractual matrix and ensure their contracts have been updated to reflect the various GDPR obligations and liabilities. For example, any charter should now be accompanied with a privacy notice and, ideally, address GDPR and the parties' respective rights and obligations in the body of the contract. Further, all other contracts involving personal data, including employment agreements, central agency agreements and management agreements (amongst others) should also be reviewed and updated to ensure responsibility, risk and liability for data protection are apportioned appropriately.
All companies are not equal in terms of the finance, technology or human capital that they have at their disposal. It is, therefore, not expected for small businesses to invest in top of the range cyber security measures, unlike the world’s largest corporations. However, these businesses must be able to prove that they have taken reasonable measures to comply with GDPR and mitigate the risk of a data breach (cyber or otherwise), as well as having a lawful reason for retaining such personal data. They must also provide those data subjects on whom personal data is held with a privacy notice explaining how and why that data is held and their rights in respect thereof.
“You need to do enough to be able to mount a reasonable defence in the event of a data breach that resulted in an action against your businesses. The best advice to any client is to conduct a risk-based assessment, you need to be able to demonstrate that you’ve done all that you could reasonably be expected to in the circumstances you find yourself in.
“The optimistic view is that the various authorities are not out to catch the little guy, they are after large global corporations. However, it is important that no business, regardless of size, rests on its laurels because of this view, anyone doing so will look pretty silly if they suffer a data breach and have an action brought against them. In this event, a business must be able to show that it has taken steps to comply with GDPR.
“The UK's Information Commissioner's Office (the ICO) has made it abundantly clear that it will be no defence to say that ‘we are waiting to see what other businesses are doing or we have not had long enough to comply’. Whilst the ICO has recognised that compliance with GDPR, particularly for smaller businesses, is a major undertaking and that many are still on the compliance "journey", they expect businesses to be able to demonstrate that they are taking seriously their obligations and the Commissioner has explained that they have the resources, the authority and the wherewithal to enforce this regulation and that they will be doing so. It is reasonable to expect the ICO's counterparts elsewhere in the EU to be adopting similar positions.”
If your business, or charter vessel, has not done so already, conduct an audit, establish the lawful basis for data retention, delete unnecessary records, update your contracts and prepare and send a privacy notice.
The Superyacht Group has updated its marketing preferences, you can tailor content to your exact preferences, and ensure that all correspondence you receive from The Superyacht Group is 'something worth reading'. Click here to edit your marketing preferences.
If you've found this story to be 'a report worth reading', and you would like to enjoy access to even more articles, insight and information from The Superyacht Group, then you may well be interested in our VIP print subscription offer. We are inviting industry VIPs to register for a complimentary subscription to our print portfolio, which includes the most insightful information on the state of the superyacht market. To see if you qualify for our VIP subscription package, please click here to fill in an application form