Expiry date for data
Personal information is about to get a use-by date, writes Stevie Knight
Ports, operators and supply chain businesses have spent time and effort trying to capture as much personal data as possible, but it’s now about to have the same status as a meatball that’s rolled to the back of the fridge. The clock is ticking on its usefulness – and you need to take action before it starts to create a real stink.
The European Union’s old data protection Directive has been challenged by a world where information is being used in ways that were completely unforeseen before the turn of the century. Hence it's been completely overhauled and reinvented as the General Data Protection Regulation (GDPR).
The idea behind the GDPR, explains Felicity Burling of HFW, is to give people back some power over how information about them is used. At the same time it aims to make the data protection legal environment consistent across the whole extended European Economic Area and smooth the pathway of the new digital economy by applying some clear rules.
Ms Burling explains that one of the biggest changes is that the new principle of accountability means it will no longer be sufficient to simply say you’re compliant - organisations will need to be able to demonstrate it: “People who thought they had already ‘done’ data protection and put it away in a box will likely have to get it all out again,” she says.
For those that might be tempted to dismiss it, Ms Burling points out that the law comes with a lot of teeth: “The fines have been dramatically increased. A breach of the fundamental provisions could cost you 4% of your annual turnover, or €20m, whichever is the greater.” More, even if you are reading this in the US or Australia, the laws could still apply if you’re handling data from citizens inside the zone or if you have fixed operations within the EEA.
Privacy by default
Despite nearly a hundred different clauses, the overall concept is a straightforward one. Inga Morton of Jura Associates explains that it’s all modelled on 'privacy by default, privacy by design'.
So, at its heart, the new law requires information to be retained "no longer than is necessary for the purpose you obtained it for", which means that you cannot simply transfer information garnered for one purpose into another list. According to Ms Burling, with some exceptions, personal data needs to be deleted after the processing for that purpose has been completed, or on request under the “right to be forgotten” element of the rules.
Yet how ever simply expressed, its implications run deep.
The new law covers a lot of ground as it includes anything that can be used to identify individuals.This means holding even such apparently innocuous information as email addresses will come under scrutiny as these often have a first-name, second-name format. But it could be applied to less specific details and companies might be advised to take a broad approach. “A survey done in US showed that 87% of the population could be identified just by gender, postcode and age,” explains Ms Morton. Moreover, for some it will mean digging into existing IT systems. Another pointer from Ms Morton is that in one recent study it was found that 60% of IP addresses could identify individuals, so they, along with internet cookies, look like being caught up in the new legislation.
A further twist to the issue is that in some cases you now need to obtain consent before carrying out the processing – and the definition of ‘valid consent’ has been tightened. So a broad opt out tickbox on the bottom of a webpage is unlikely to cut it.
Businesses also need to think hard about information that gets handed to them – and it’s bound to affect contracts. “For example, European companies will have to put clauses in their counterparty agreements, in particular if they are transmitting data to a non-EU company, to make sure that this data law is complied with,” says Ms Morton.
But it also applies to everyday routines, explains Richard Morton of International Port Community System Association. “Under these rules, if someone’s sending you data, you may need to make sure the person sending it has the individual’s permission to pass it on – you can’t assume that.” Ms Burling underlines that this also applies to things most people do without a second thought – like forwarding emails which usually have personal information in the signature or embedded in the address.
However, Ms Burling says “avoid using consent if you can, since the requirements are very strict and it is difficult to obtain”. She advises using other, more appropriate legal grounds such as ‘legitimate interest’ or ‘necessary for carrying out a contract with the individual’, although she points out that full, valid consent will still be needed for sensitive categories like health information.
One particular issue for ports and terminal operators is their extended, complex family of stakeholders so like that meatball, the data might be hiding just out of immediate sight: “For example, auto-checking systems, for drivers and vehicles that come into the terminal area, often have personal details attached to the vehicle number plate,” says Ms Morton. Ms Burling adds “some ports will have data sitting in legacy systems” which needs to be unearthed and dealt with.
Even for larger operations it’s an uphill job. According to Shauni Willems of the Port of Antwerp, GDPR compliance “is indeed not an easy task”. Her colleague Greet Souvereyns says the main challenge right now is having an overview of all the processing activities of personal data that the port is doing. Ms Willems lists a dozen priority actions ensuring appropriate policies and rights are in place including those around giving permissions, a review and remodelling of the port’s contracts to meet the new requirements, working out how to record all the processes and “making sure everything is documented so that our organisation can always demonstrate compliance”.
Data protection role
A key issue is whether to appoint a data protection officer whose job is to advise the port and monitor its compliance with the GDPR. These roles promise to be extremely sensitive: on one hand there will be company culture (and the end of any ‘informal’ Excel contact lists) and on the other, the heavy hands of the regulators.
But while large organisations will probably have the necessary resources, “it’s the smaller businesses that are going to have most trouble”, points out Ms Morton, especially those such as freight forwarders “which could be dealing with large amounts of personal information, but are often only two- or three-man companies”.
“It’s difficult... most companies won’t be able to make their system completely watertight,” admits Richard Morton. He advocates taking a ‘risk-based’ approach but he underlines “it still needs a complete data audit to do successfully”.
He concludes that a change of attitude is required: “It’s a little like realising something is radioactive; you have to make sure it doesn’t just sit inside your system, after using it, you have to flush it out. I’d say, look at what are the flows of data in the port, not just how you store it, but how you receive it and how you pass it on – it should all be made visible. Then you can decide what to tackle and how.”
THE BIG DATA CLEAN UP
The new GDPR law is, perhaps inevitably, wrapped up with trust issues in the digital economy and the overarching requirement is to ensure the foundations for global business are solid.
For some, this signals a perfect storm is on the way: information handling processes, many of which are dictated by existing IT systems, will have to be reviewed and probably overhauled. At the same time cyber security has come under the spotlight – those found wanting will be facing penalties; a business that suffers a serious personal data breach will have to inform all affected individuals ‘without undue delay’, so possibly even before the 72 hour window closes for reporting to the national regulatory bodies.
Those who fail to do this within the mandatory timescales could face a penalty of up to 2% of their annual worldwide revenue, or €10m, whichever is higher. Simply saying you missed seeing it won’t be good enough, so ports and their businesses will have to train personnel to spot trouble.
For many, GDPR will force a big data clean-up... or beware the consequences: As Richard Morton points out, various state authorities are lining up the data issues: “Certainly in the UK, the government has been saying it will be applying pain for security breaches, so if companies aren’t keeping their systems cyber-secure, there will be fines.”
Applicants are invited to apply for the position of Marine Pilot within the Marine Department, based... Read more