Step 3 of 4•9 minutes read
How Important is the Data Subject and Data Processing in the Maritime Industry?
Shipping companies are in touch with personal data from many sources such as individuals, staffing agents, port agents and other parties. They interact with a lot of personnel, such as travel agents and P&I clubs. As such, shipping companies process and store a large amount of personal data, such as personal identification documents, travel documents and bank details, as well as "sensitive data" such as medical records.
In addition to this, since shipping industries transfer personal data regularly, especially under different jurisdictions, they need to meet all of the conditions to comply with the GDPR legislation.
Vessel commercial data is not subject to GDPR unless it includes personal data. Shipping companies need to ensure that their external suppliers, vendors and service providers are also GDPR compliant!
Why is GDPR Important for the Shipping Industry?
The maritime industry is one of the largest industries in the world. Every industry has its own problems and needs specific solutions, but the maritime industry is special because of the breaches where repercussions can be fatal. According to the Lloyd Register, 87% of maritime companies were victims of a cyber-attack in 2017.
Vulnerable systems onboard include:
- The navigation bridge,
- Cargo handling equipment,
- The engine room,
- The power management system, and
- Administrative and communicational systems.
As a response to the GDRP legislation, The National Institute of Standards and Technology (NIST) brings the 'NIST Framework', which is widely used as an approach to cyber security assessment and a step towards the fulfilment of cyber risk management. The advantage of the 'NIST framework' lies in its universality and flexibility, which is why it can be employed in many industries, including the maritime one. Maritime Safety Committee (MSC) and The Facilitation Committee (FAL) have issued “Guidelines on maritime cyber risk management” as an answer to several cyber-attacks. The Guidelines completely accept the NIST framework with five key elements:
In the end, it is important to stress that GDPR legislation forces shipping companies to assess the impact on personal privacy at any time when there is an increased risk of privacy violation. Companies are obliged to report any system violation within 72 hours to enable the entire industry to react quickly to potential cyber-attacks.
Photo: Jörgen Språng
How Should I Behave On Board?
As a seafarer on board, you should be very careful with your data because it can impact the whole ship or company.
You should follow these steps:
-
Do not log in with your company accounts on your personal devices.
-
Do not use company equipment for your personal use.
-
Always check the e-mail address that has sent you something for suspicious titles, especially if it does not belong to your company.
It is best to separate the work e-mail logging from your devices used for personal usage to prevent the potential threat from entering the ship network.
On this training platform, you can find cyber awareness training that will show you the most common threats and be more aware of the repercussions of a cyber attack.
What Should My Organisation Do?
You may take several steps to be compliant with GDPR legislation as an organisation. The most important ones to consider are:
-
Nominating a person inside the organisation will read the whole act and ensure that the organisation is compliant with the GDPR legislation.
-
If the organisation requires a Data Processing Officer, appoint one.
-
Make sure that your whole team knows the rules that apply to your organisation. It would be best to have a training session to ensure that all workers know the requirements.