At sea with the GDPR

In April 2016, the European Union finally passed a dry, but important, piece of legislation, the General Data Protection Regulation (GDPR). EU member states were given a two-year period to implement it into their own national law, writes Adam Bernstein.

Despite the move towards Brexit, the UK will be implementing the GDPR and it will continue to have effect through a new Data Protection bill that is currently wending its way through Parliament. The UK will be fully compliant from May 25 2018 and all businesses, irrespective of size, need to plan for the new changes.

Personal data is defined as anything relating to a person who can be identified directly or indirectly. Numerous surveys over the summer of 2017 have suggested that firms will have difficulty in complying with the GDPR unless they make significant changes to how they operate. It makes no odds how small a company is or how much data it holds; so long as data can identify an individual the GDPR will apply. The rules – under the present Data Protection Act and the GDPR – also apply to structured paper records. If records are searchable, they’re caught by the legislation.

The GDPR markedly changes the enforcement and penalty landscape. The Information Commissioner’s Office (ICO) can presently levy fines of up to £500,000 under the Data Protection Act. The GDPR raises that to a maximum of 4% of global turnover or 20m euros – whichever is higher.

Those holding data have to ensure that data is securely kept and that staff are briefed on the law. More importantly, holders of personal data will have to design safeguards into their systems which need to be appropriate and in proportion to the degree of risk associated with the data held.

A fundamental tenet of the GDPR revolves around the need to require consent to be given by an individual whose data is held. Consent is specifically defined by the GDPR and means ‘any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed’. Firms need to be able to show how and when consent was obtained. It cannot be obtained through pre-ticked boxes and nor can it be bundled with other matters such as an employment or contract. Individuals can withdraw their consent at any time and have a right to be forgotten.

When collecting data, it’s a requirement of the GDPR that the individual is told about the identity and contact details of the data-gathering business; the purpose of acquiring the data and how it will be used; whether the data will be transferred outside of the EU and EEA; how long the data will be stored for; their right to access, correct or have the data held erased; the right to withdraw consents previously given at any time and the right to lodge a complaint.

Importantly, the GDPR demands that individuals must be told how their data is processed in a clear and understandable way. Individuals can make requests to see their data, and these must be fulfilled ‘without undue delay and at the latest within one month of receipt of the request’.

Another change brought in by the GDPR requires companies to report any breaches of security. Where the breach involves personal data, companies must notify the appropriate authority, most likely the ICO no later than 72 hours after having become aware of it. This could, if a breach occurs on a Friday, mean working through the weekend.

The GDPR is not going away and Brexit is not going to save a business from complying with its requirements. Time spent on the ICO’s website ( will be time well spent.

Latest Press Releases

WesCom Signal and Rescue shortlisted for the 2018 Safety at Sea Awards

The world’s leading supplier of marine distress signals, WesCom Signal and Rescue announces it has b... Read more

Torqeedo appoints Engines Plus Ltd as new UK canal boat sector dealer ahead of inland waterways festival, Crick Boat Show

Torqeedo has appointed Engines Plus Ltd, a leading engine dealer, to be the UK dealer for the canal ... Read more

Torqeedo Showcases Latest Innovations in Sustainable Marine Propulsion Technology at Seawork International

Crystal Lake, Ill. – May 23, 2018 – Torqeedo will demonstrate the latest developments in electric ma... Read more


Leading Audio Manufacturer Unveils Groundbreaking RA770 and SRX400 Audio Entertainment Systems Read more


Leading Audio Manufacturer Announces Powerful Plug and Play Solution with Bluetooth Streaming Read more

Experts Highlight Viable Power and Propulsion Solutions for Next Generation Vessels

Lithium-ion battery expert Dr John Warner is presenting at the NEXT GENERATION Marine Power & Propul... Read more

View all