What is GDPR

The General Data Protection Regulation (GDPR) became enforceable beginning 25 May 2018 in the European Union and the European Economic Area (EU/EEA). It was meanwhile implemented in the UK who had previously initiated the Brexit process. The regulation establishes an accountability mechanism to safeguard personal information from abuse by data controllers and processors through enforceable data subject rights and effective supervisions. It applies to all individuals and organizations that may collect, store, process, access, use, transmit or erase personal data of EU/EEA residents, no matter whether the individual or organization is based in the EU/EEA areas, as long as they provide products and services to EU/EEA residents or they transfer personal data to enterprises located in the region.

GDPR fines and penalties

Administrative fines are imposed depending on the circumstances with regard to the nature, gravity and duration of the infringement and the action taken by the controller or processor to mitigate the damage. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Impact on CPI and its Members

For CPI (“the Club”) and its Members based in Asia, GDPR compliance is required most likely when they handle claims on personal injury and death in the EU/EEA or cases that involve collecting personal data of EU/EEA residents. Reinsurers, correspondents, surveyors, lawyers, experts and brokers may all be regarded as data controllers for being able to independently determine the purposes for which data are processed, and be required to perform in accordance with the regulation. Given the fact that the Club, with its office in London, may arrange reinsurance for P&I and H&M cover in the European market, GDPR may also come into play.

Principles for processing personal data

1.  Lawfulness. Processing shall be lawful only if the data subject has given consent or contractual obligations with a data subject shall be fulfilled.

2.  Fairness. Data subject shall be informed of his/her rights and the way his/her personal data is processed prior to giving consent.

3.  Transparency. Personal data shall be plainly-worded and provided in a way that is easy to comprehend.

4.  Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

5.  Data minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes.

6.  Accuracy. Personal data shall be accurate and kept up to date if necessary.

7.  Storage limitation. Data processors shall keep the data for no longer than is necessary.

8.  Integrity and confidentiality. Appropriate measures shall be taken to protect personal data from unauthorized or unlawful processing.

Additionally, special categories of personal data including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information and data concerning health are regarded sensitive and are subject to more restrictions.

Advice to members

In handling personal illness or injury files it is often necessary to exchange sensitive personal data with Members, correspondents and service providers around the world on an urgent basis. Implementing GDPR principles is particularly important. By P&I Club recommendations, here are some good practice tips for processing personal data:

1.  Respect everyone’s personal data the way you would wish for your own.

2.  Minimise the generation of personal data by email and on paper – the less personal data being created and circulated, the easier it is to protect. Only send information that is necessary for the handling of the claim.

3.  Cybersecurity – make sure of a secure computer system and email server, especially when transferring attachments containing passports, medical reports, contracts of employment etc.

4.  Anonymisation – use identifiers for individuals instead of names, rank and dates of birth. Identifiers could be case number, vessel name, surveyor information, the nature of the incident or the port of disembarkation. If there is no alternative to using a name, it should be cited with as few other identifiers as possible.

5.  Start afresh – if you cannot avoid identifying an individual, do so once and then start a new email so the same personal data is not repeated in the email chain.

6.  Reply all? Before using “reply all”, check it is appropriate that everyone in the circulation list should actually receive the email you are about to send.

7.  Use official email addresses – do not use unofficial, private, or any other non-secure email accounts.

8.  Clear and lock – keep your desk clear and your computer screen locked when you are away from your desk. Dispose of hard copy data in a secure manner.

9.  Familiarise yourself with GDPR and communicate with colleagues about what should be done.

Conclusion

A year after its implementation, GDPR is estimated to have protected personal data of at least 500 million people in the EU/EEA. It has also drastically changed the way to treat data in many businesses, including multinationals and international organizations that are not based in the region. As such, for CPI itself and some of its Members, it’s recommended to keep following on the matter and be aware of latest updates.

For further consultation, please contact your manager at the Club.