General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679, commonly known as the EU General Data Protection Regulation (GDPR), will come into force within EU on 25 May 2018. The Regulation, which is some 88 pages long, may be found here». Notably, GDPR has extra territorial effect in that it applies, for instance, to crew members engaged within the EU area or if personal data is transferred during a voyage within the EU area. For the members who not already have done so we recommend members to seek legal advice in order ascertain the implications of GDPR for their business.
For general information about the GDPR, please read more in the document.
Implementation of GDPR principles in claims handling.
By way of this Circular, however, the Club wish to highlight the following:
- The Club considers that it will be a controller for the purposes of the GDPR. Further, where the GDPR applies, Members, brokers and external service providers such as club correspondents, surveyors, and experts, will generally be controllers, since they are each independently likely to determine the purpose and means of the processing of the relevant data. Notably, each controller is responsible for its own processing of data
- The Club will in due course seek to supplement the insurance contracts in order to clarify that the Club may process the Member’s and Member’s employees’ personal data in order to handle claims and perform other obligations under the insurance contract. Members are advised to review their employment contracts in order to ensure the Club (as well as other insurers) may process personal data as required
10 tips for the treatment of personal data:
- Respect - treat everyone’s personal data with the same respect you would wish for your own.
- Minimise the generation of personal data by email and on paper – the less personal data being created and circulated, the easier it is to protect. Only send information which is necessary for the handling of the claim.
- Cybersecurity – ensure computer systems are secure and try to make use of security measures such as password protection and secure email servers when transferring attachments containing passports, medical reports, contracts of employment etc. The Club will be exploring possibilities to use enforced encryption or web portals to protect information to enhance security in the future.
- Anonymisation – Aim to use identifiers for individuals, like crewmember, broker, surveyor etc. instead of names and dates of birth. Other identifiers could be the vessel name, the nature of the incident, or the port of disembarkation, with a reference number. This applies not just to the subject heading and body of an e-mail but also, where possible, to any documents which support the claim. If there is no alternative to using a name, we would recommend that it is cited with as few other identifiers as possible. We also intend to adopt this approach for claim descriptions. If these steps are put into practice, we hope that, except for those directly handling the claim, it will not be possible to identify the individual who is the subject matter of the claim.
- Start afresh - if you cannot avoid identifying an individual, do so once and then start a new email so that the same personal data is not repeated in the email chain.
- Reply all? Before using “reply all”, check that it is appropriate that everyone in the circulation list should actually receive the e-mail you are about to send.
- Use Official email addresses – do not use unofficial, private, or any other non-secure email accounts.
- Clear and lock - keep your desk clear and your computer screen locked when you are away from your desk. Dispose of hard copy data in a secure manner.
- Familiarise yourself with GDPR, including how it applies to your business and the penalties for non-compliance.
- Communicate these guidelines to everyone in your organisation.
For further information about GDPR please visit our website or contact us at firstname.lastname@example.org