In May 2018, two dramatic changes to data protection and privacy management regulations will come into force. The EU’s General Data Protection Regulation and Network Information Security Directive will affect almost every sector of the marine and maritime industry. Organisations that are not compliant may incur fines and reputational damage.
The NIS Directive will require “companies, ships, port facilities, ports and vessel traffic services” to take demonstrable measures to manage cybersecurity risks. They will have to report any cyber incident that affects the continuity and privacy of their services to designated authorities without undue delay. The increased visibility of breaches will indirectly force companies to protect data efficiently and reduce both the impact of cyber threats and related public concerns.
The GDPR will have a huge effect on privacy protection and management of passenger information. It could also impact “individual vessels operated by coastal passenger sea transport companies” not included in the NIS Directive. The main obligations are:
- The introduction of Data Protection Impact Assessments (DPIA) and a Data Protection Officer
- Data portability – individual right to transfer personal data from one organisation to another
- Security and data breach notification – data is properly safeguarded against unauthorised access, theft or loss
- Obligation to track and maintain documentation of processing operations
- Data protection by design and by default – data protection management is taken into account from the early stages of the design process.
Several companies are already compliant with the new legislation. Others need to improve their systems or provide formal evidence of compliance.
One challenge is to identify how this legislation impacts a specific organisation. Consequences may vary. For shipping companies, according to IMO objectives, cyber risk management aboard vessels should be handled like other operational risks, namely, through a Safety Management System that complies with the ISM Code.
Organisations should perform a three-part assessment process. First, identify the "important assets and infrastructure" and “personal data” they manage. Second, identify the processes in which those data, assets and infrastructure are used. Third, develop a cybersecurity risk assessment. The assessment outcomes can help organisations draw up cybersecurity plans, policies, processes and procedures to demonstrate their capability to manage and protect client data.
RINA supports marine and maritime organisations with consulting services, helping them assess their compliance with cybersecurity regulations and fill identified gaps. RINA has the necessary in-house information and cybersecurity competencies to assist in every stage of the process and avoid potential financial or reputational harm.