Damp Data Squib

GDPR Not as Troublesome as Feared

By David Whitehouse

Readers of a certain age will remember the Y2K bug which, as the year 2000 approached, was confidently predicted by the doomsayers to wreak cosmic computer havoc. A whole industry of instant IT experts flooded people’s inboxes with warnings of impending doom, and offers of quick, expensive solutions.

Fast forward to 2018 and the implementation of the European Union’s General Data Protection Regulations, or GDPR, produced a similar scenario. Now, as back then, companies have miraculously survived. A year in, how have stakeholders in the breakbulk and project cargo sectors adapted to the change?

GDPR, which governs the collection, storage and handling of personal data, came into force in May 2018. A host of new rights came into being with the rules, including a customer’s right to be told that their data is being held, to access it and have it rectified in case of error, to restrict processing of the data and to have it erased on demand. It is not yet clear how the UK will deal with data protection after Britain’s departure from the European Union, but there is no reason to expect a marked deviation from GDPR: The UK’s 2018 Data Protection Act is an almost identical copy of GDPR.

According to Lawrence B. Brennan, who specializes in maritime law as adjunct professor of law at Fordham University in New York, the GDPR requirements represent “dramatic shifts to data transparency as well as the empowerment of data subjects.” The new rules “place greater administrative burdens on shipping companies, ports, their contractors and subcontractors as well as others such as insurers, brokers and banks.” Inevitably, Brennan said, customer information must be shared with other parties involved in a transaction such as insurers, banks, financiers, delivery agents, customs brokers, and government and port officials.

The stakes are high in terms of compliance. Penalties can be as much as €20 million or 4 percent of the organization’s annual turnover, whichever is the greater. But the potential fines tell only part of the story: customers are in a position to inflict quicker and possibly more painful revenge.

Threat of Non-compliance
Thales found in November 2018 that, across all industries, 86 percent of consumers would consider switching to another company in case of a data breach. Some 35 percent of consumers said that a data breach under the GDPR would “definitely” give them a negative perception of a company, while 69 percent said they would think about initiating legal action against a company that failed to manage their personal data under GDPR. In the UK, the Information Commissioner’s Office will publish any steps they take against an organization, putting the breach into the public domain.

In maritime disputes of any kind, Brennan said, the rules will provide additional sources of documentation and inquiry for discovery and disclosure. However, he sees little chance of the rules in themselves having any direct impact on the number of legal disputes related to breakbulk and project cargo.

Mark Williams, managing director of Shipping Strategy Ltd. in Cambridge, agreed. He spent more than 20 years in shipping brokerage, including at HSBC, and has consulted on breakbulk projects. Best practice, he argued, has always been not to sell data on to third parties. The reputational risk in a small universe of customers is too great, he said. In administrative terms, he added, compliance with the rule is a relatively simple task and involves reacting to “unsubscribe” requests as they are received.

According to the 2019 Thales Data Threat Report, there are now more than 100 privacy laws and initiatives promoted by governments around the world on top of other industry-specific regulations. Thales argues that the impact of data use compliance is likely to continue to rise globally, and that regulations are likely to become more, not less, rigid.

The costs of meeting ever-higher compliance demands may be higher for small operators, with the GDPR penalties enough to sink them. Brennan said smaller companies may find it more efficient to turn to third-party vendors to achieve compliance, and that they may not have the same direct control over a third-party agent as they would over their own staff. He recommended that contracts between smaller companies and third-party providers should include terms governing the extent of liability for any breaches.

A Question of Size

Alan Jervis, CEO at Jervis Marine Insurance Experts in London, a company that advises clients on risk-management practices, noted that large freight forwarders probably already have a dedicated data compliance employee and so can cope with the issues.

The issue, however, can be complicated for project cargo, Jervis added, as moves necessitate dealing with global businesses. Here the regulatory burden is more complex if the destination is in Africa or South America, as GDPR applies to any company anywhere that is dealing with EU business or personal data, regardless of whether it has a European presence. He noted that then “you are only as good as the people you deal with.”

According to a briefing from HFW law firm, GDPR applicability outside the European Economic Area, or EEA, is likely to be triggered if any of the following conditions are met:
• Having vessels flagged within the EEA.
• Having services that can be bought within or a website that is targeted on customers within the EEA.
• Having a registered office within the EEA.
• Having a business registration with an EEA data protection authority.
• Use of servers located in the EEA.
• Monitoring of the behavior of any individuals within the EEA, such as through website cookies.

All this serves to further complicate the task for small shippers or business that might only have a full staff of three or four people, Jervis said.

Project cargo, he pointed out, is very time sensitive, and smaller players spend a great deal of time ensuring that delivery times are met. In his view, it’s too early to say if the small players will successfully manage to juggle those deadlines with GDPR rules, but he noted that it wouldn’t surprise him “if they were struggling.”

Available statistics do not provide a clear answer, but, across the board, the picture may be worse than it appears. Research published in February by the law firm DLA Piper said that countries in Europe have already reported more than 59,000 data breaches since GDPR came in, with the Netherlands, Germany and the UK having had the most breaches. This, however, may be an understatement. Regulators are stretched, according to the research, and have a large backlog of notified breaches to deal with. They have prioritized the larger, higher-profile breaches, so many organizations are still waiting to hear from regulators whether any action will be taken against them.

Managing Data

The rules, Brennan said, also underscore the importance of cyber security for all parties to a cargo transaction. Indeed, Jervis called GDPR “another compulsory nudge” in terms of cyber security. Yet the new rules also open up new, more positive possibilities.

GDPR has forced companies to take control of their customer data and make it available for the consumer and the marketing department alike. There is now an obligation to make sure that information that is stored about clients is up to date and the rules oblige marketers to go back to basics and question whether customers actually benefit from a company’s communications. Marketing that is lower in frequency but higher in impact in terms of authenticity and personalization has been found to be a possible benefit of the data management process.

The rules will “force people to do the work” in terms of marketing, according to Nic Ingle, executive director of the International Dry Bulk Terminals Group, which represents worldwide owners of bulk terminals. “I’d rather people make three calls a day that get somewhere rather than 30 that get nowhere,” he says.

Shipping Strategy’s Williams saw the rules as a positive in terms of renewed client relationships. “It’s an excuse to get in touch,” he said. Jervis agreed: “Any opportunity to communicate in a responsible way” will help cargo players. There’s “more respect” from customers when dealing with a proactively compliant firm.

Overall, Ingle argued that the GDPR rules are mainly a question of “good husbandry.” In his view, “people who misuse information deserve what they get.” There is a burden in the shape of new company hires who need to be trained in GDPR, he said, but in his view serious companies were already protecting client data before the rules came in. And there are sound business reasons for this: according to Ingle, there are few operators who are able to execute complicated project cargo deliveries. “They tend to have the smile on their faces of people who can charge what they like. I’m sure they won’t want anyone else to know who the client was.”  

David Whitehouse is a journalist who spent 18 years with Bloomberg, before turning to a career as a freelancer. He has written for The Financial Times, the World Economic Forum, Deutsche Bank, Germany Trade & Invest, and UBS Asset Management, among others.

Image credit: Shutterstock