Owning, chartering, crewing or managing even just a single yacht is no different to almost any other business. There are suppliers and, if you charter your yacht, there are current/former customers and passengers too.  You will also have crew members – your employees, or the employees of whomever you task with managing yacht operations. It’s impossible to operate any professional activity without keeping information that identifies individuals.  This means you need to pay attention to the forthcoming changes to Data Protection laws – the General Data Protection Regulation (GDPR).

The GDPR applies to data activities carried out by any organisation that is located within the EU. However, it also applies to organisations located outside the EU, but who offer goods and services to people located within it.

If you use services, employ crew, or have customers that are based in Europe, you will be affected by the GDPR, it’s unavoidable.  It doesn’t matter where in the world you are located.  Even if you don’t directly hold the data yourself, but pay someone else to do it, you are obliged to make sure your contracts with them are compliant with the rules.  Therefore, being aware of the changes is vital.

If you are EU-based and operate in multiple member states, you will need to establish which one is your ‘lead data protection authority’. This will either be the EU state in which your main establishment, or central administration is located, or where the most significant decisions about data management and processing are made and implemented.

WHAT DOES THE GDPR COVER? 

Essentially, anything that is classed as ‘personal data’.  This is defined as any information that could identify a person.  Email addresses, employee details, contact information for marketing activities, or newsletter subscriptions, customer enquiries, anyone who applies to work with you and whose details you want to hold on to, the list is almost endless. Even if the data is anonymised, it can still fall under GDPR.  IP addresses are included, as they can identify someone, so it doesn’t only apply to standard contact information.

Any organisation that keeps this sort of data must have the correct processes in place, before the new regulations apply in May 2018. Time is running out, so what do you need to do?

The first thing to do is to assess your activities – do you have suppliers, employees, customers or subscribers who are located within the EU?  If so, you need to be GDPR-ready. To protect personal information and ensure it is managed within the GDPR rules, restrictions will apply regarding the transfer of personal data outside the EU.  If you are located outside of the EU, you will need to make sure you are working within these parameters.

ACTION: CREATE A CATALOGUE OF THE DIFFERENT TYPES OF DATA YOU HOLD, WITH THE REASON FOR HOLDING IT AND LOG WHAT YOU DO WITH IT.

The GDPR has emphasis on the security of personal data. This is to increase protection against unauthorised use, or access to data, from cyber-attacks, breaches, or accidental loss. Data processors and managers are obliged to act appropriately to properly protect data.  It doesn’t matter whether the data is electronically stored, or manually maintained.

There is also an obligation to report some types of data breach to the relevant data authority; for more serious breaches, that obligation extends to also notifying the affected individual(s).

ACTION: ASSESS YOUR DATA SECURITY. ENSURE YOU HAVE PROTECTION IN PLACE FOR ALL PERSONAL INFORMATION HELD.

Check your responsibilities regarding breaches and make sure you have proper processes in place. If you outsource data management, check your processing agent has appropriate measures in place too.

A key element of GDPR is consent.  It’s your responsibility to prove that consent has been granted for you to store and use the data. You also must demonstrate why you need it, AND how it is used. Consent can no longer be automatically assumed. It must be requested and given as a conscious decision.  When requesting consent, there must be a clear explanation of why you need the information and it may only be used for that specific purpose. 

You may have already received ‘changes to privacy’ notifications, from other organisations, informing you about how they manage your personal information. This is evidence of them getting ready for GDPR.

Importantly, you need to inform people of their right to amend or have their data deleted.

ACTION: CHECK YOUR EXISTING CONSENT TO HOLD DATA FALLS WITHIN GDPR REQUIREMENTS; IF IT DOESN’T YOU NEED TO OBTAIN IT.

The reason you are collecting and using personal information must fall within a valid ‘lawful basis’.  It must then only be used for the purpose it was obtained. It is also your responsibility to ensure all information is current, up-to-date and kept only for as long as necessary.

ACTION: ESTABLISH YOUR ‘LAWFUL BASIS’ AND DOCUMENT IT.  REMOVE ANY DATA THAT IS NO LONGER REQUIRED.

Everyone for whom you hold information must be notified of your Privacy Policy, which must include the reason for obtaining and processing data.  You may already have already received ‘changes to privacy’ notifications, from other organisations, informing you about how they manage your personal information. This is evidence of them getting ready for GDPR.

ACTION: CHECK YOUR PRIVACY POLICY IS UP-TO-DATE AND GDPR-COMPLIANT. ISSUE YOUR AMENDED PRIVACY POLICY TO ANYONE WHOSE DATA YOU HOLD.

GDPR also grants easier access to information that is held.  People can request copies of the information and withdraw their consent, or ask for a correction to be made.  You are obliged to amend or delete the data, as requested. 

Failure to meet GDPR requirements for data processing could result in serious consequences.  Organisations found guilty of smaller offences could receive fines of up to €10 million or 2% of their global turnover, whichever is greater. For offences that have more serious consequences, the limit for fines is a huge €20 Million or 4% of turnover, whichever is greater.

In addition to the immediate actions above, the main priority is to make sure you and your operations are fully prepared.  Ensure all personnel are aware of the forthcoming regulations; organise training and consider certification. 

Remember, this is an overview guide and not legal advice. You can obtain thorough guidance from your Lead Data Protection Authority, contact details for countries in the EU and elsewhere in the world, can be found here.

If you would like a copy of the full text of the GDPR, you can find that here and this is the link to the EU’s GDPR portal.