Here in Europe, talking about GDPR compliance reminds me of the doomsday scenarios discussed as we approached Y2K; everyone was talking about it, and no one quite knew what would happen. However, while potential Y2K issues and fixes were relegated to the hushed tones of an IT office to “fix” back then, GDPR is a very different beast that is going to affect every aspect of a business that employs anyone or maintains any kind of database containing personal data in Europe. And unlike Y2K, we know for sure that something is going to happen.
On May 25, 2018 all businesses that collect, record, organise, or use personal data, and are either established in the EU or offer goods or services to EU-based individuals (whether free or paid) are going to be affected by these new privacy laws.
We talked to Benjamin Maltby of Keystone Law to understand the legalities of what this means for the yachting industry.
What is the GDPR?
The GDPR (General Data Protection Regulation) applies to ‘personal data’. This means any information relating to an identifiable person who can be directly or indirectly identified from that information will be affected. This includes names, addresses, dates of birth, identification numbers, and location data.
The four biggest GDPR pitfalls are:
1. To regard GDPR as so much extra paperwork and do nothing at all;
2. To glance at existing data protection policies and hope that they will suffice – there should a paper trail of analysis and consideration;
3. To copy and paste online materials in the hope that generic documents will satisfy GDPR requirements (they won’t); and
4. Not to take advice as needed.
What are the specifics?
Affected businesses must comply with the core principles of the GDPR. These are that personal data must be:
1. Processed lawfully, fairly, and in a transparent manner in relation to the individual;
2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and up-to-date;
5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Overall, what is your impression on how prepared the industry is for May 25th?
Bad. It’s not just about being prepared for May 25th – it’s about being prepared for the next decade at least.
It’s not as if the data inspectors are going to be knocking down doors on May 25th – it’s the reports submitted by disgruntled employees, clients, or rivals over the coming years which will have the greatest effect.
What would be your suggestions to companies which have not yet started looking at compliance yet?
The GDPR is complex, but compliance for those affected is mandatory.
Who will be enforcing GDPR regulations and what are the penalties for non-compliance?
The GDPR will be enforced by national government agencies.
Non-compliance could result in fines of up to EUR 20 million or 4% of annual global turnover – whichever is higher.
Affected businesses can contact Benjamin Maltby via:
His website profile, email or telephone (t +44 20 3319 3700/ m +44 7773 246 246).
This article does not constitute legal counsel, and you should seek independent expert advice in order to comply with current legislation.