Maersk cyber attack highlights importance of EU data protection rules

This story originally published on Fairplay.IHS.com.

With the Maersk hacking debacle still fresh, a presentation by Moore Stephens on the reinforcing of EU data protection law was timely reminder of the need for companies to maintain security on all their systems and to be vigilant at all times, according to Moore Stephens associate director Christopher Beveridge.

Had the new rules already been in place, Maersk would have been required to report the breach within the first 72 hours after its discovery. If any data has been lost there would be a requirement to report it.

Even without the General Data Protection Regulation (GDPR), which will become enforceable on 25 May next year, the rules are strict, particularly when it concerns the personal data of individuals, but the GDPR will mean that companies holding sensitive personal data such as crew information, including passport and banking details, will need to look at their systems and ensure that they meet the new rules, said Beveridge.

Essentially the GDPR will supersede national legislation such as the UK's Data Protection Act of 1998, but it will maintain the general principles of the Data Protection Act, such as data controllers will need to show that the data is being used fairly, for a specific purpose, that it is adequate and accurate, and that it maintains an individual's rights and their security.

The GDPR will require companies and any data processors such as ship managers and crewing agents to have a good security infrastructure in place. Data processors are required to report any breaches without undue delay to the data controllers.

However, in a shift away from established data protection rules the GDPR will govern all organisations processing or handling personal data operating within the European Union, but it also applies to all organisations regardless of where they are based, though Beveridge points out the EU has not specified how it will enforce this element of the GDPR.

Enforcement will, it is promised, be rigorous and onerous with fines of 4% of annual global turnover or EUR20 million (USD22 million) whichever is the greater, and penalties can be levied on ship managers and agents and crewing agents, with the onus on data controllers to be aware of third-party data processors working on their behalf, explained Beveridge.

Consent rules have also been bolstered placing a requirement on data controllers to show "legal consent from all data subjects on how data collected is to be used", according to Beveridge. In addition, the GDPR stipulates that the data subject must be made aware of the implications of giving consent without the use of jargon, as "consents must be provided in an accessible form using clear and plain language".

Among the other rights that will be enshrined in the GDPR will be the right for individuals to request data is held in commonly used formats to allow portability and the transfer to other data controllers, while the individuals will have the right to confirmation that their data is being processed and these requests must be supplied free of charge. In addition, individuals will have the right to be 'forgotten' by all those holding data on them, including third-party processors.

Being prepared is the best method of compliance, said Beveridge, and that includes being aware of what information is already held through an information audit and looking at processes for dealing with portability and deletion requests. Companies should also consider what procedures are currently in place for the detection, investigation, and reporting of data breaches and look at whether they need to be updated.

Beveridge points out that a new data control system must have data protection designed into it; it must not be an afterthought. Another important requirement of the GDPR will be the appointment of a data protection officer (DPO) or a designated data controller within the organisation who will take care of compliance issues.

"Time is running out - there is less than one year before the enforcement of the GDPR and a failure to comply could have serious effects on an organisation, not just financially through penalties, but also through the loss of reputation," said Beveridge, adding that in the worst-case scenario some companies may be prevented from trading within some jurisdictions.