The General Data Protection Regulation (GDPR), the EU’s new privacy law, aims to clarify discrepancies and bring consistency from country to country with data protection and privacy.
Effectively, it will affect the way companies source, collect, use and record consent for emails and data from EU citizens.
It is a regulation, not a directive and therefore will have binding legal force for any yachting business operating in the European Union, or any yachting company outside of the European Union that processes the personal data of EU citizens.
When does GDPR start?
GDPR will be enforceable in law in all EU member states from 25 May 2018.
Why GDPR compliance is important for yachting companies
GDPR will affect any yachting company that uses personal data from EU citizens, including those with less than 250 employees. As an example, your yachting company might collect email addresses and you send company newsletters, news or blog updates to subscribers in the EU, therefore you must comply with GDPR.
Crucially, GDPR applies whether you have a digital capture system or simply use a spreadsheet to collate and store client contact details.
The UK, the Netherlands, Germany, Spain, France, Italy and other European markets are all important for yachting businesses and the new regulation will mean over 750 million people will fall under the GDPR’s protective framework.
Aside from the law, responsible data handling is a basic principle of good business practice. By proving to your existing yachting clientele that you are taking steps to be compliant with the new law, you are adding value to your business and showing that your respect their personal data.
Non-compliance with GDPR will lead to heavy penalties such as fines up to €20 million or 4% of a company’s total global annual turnover (whichever is higher).
What changes will this mean for yachting businesses
Most EU yachting companies process their client data legally under the existing EU ePrivacy Directive, however once GDPR starts there will be stricter regulations around consent and the use of personal data.
One of the most important things to note is that you’ll only be able to send commercial communication via email to people who have ‘opted-in’ to receive messages.
This has been the case for most yachting companies already, however from 25 May 2018 businesses must give subscribers ‘clear, affirmative, non-ambiguous and specific’ options for opting in. This includes checking a box on your website or agreeing to another statement or action that clearly indicates consent. Pre-ticked boxes will not be compliant.
Additionally, if someone gives you their email for a competition, giveaway or to download a white paper and you add them to a mailing list, this will now be illegal unless they actively agree to be sent marketing messages.
Companies must keep records of these consents in the event that any forms need to be presented if requested.
10 Steps to Prepare for Data Protection: GDPR Readiness in the Yachting Industry
- As well as new data, GDPR will apply to existing data. If you can’t provide sufficient proof that your existing contacts consented to your mailing list, then you may not be able to email them commercial communications anymore.
- Understanding your data flow is crucial, therefore you should undertake an information audit by documenting what personal data you hold (e.g. name, address, bank details, IP addresses, photos etc), where it came from, how it is stored and who/when/how/where it will be shared. This includes client, supplier, partner, past or present employee personal data. You should review how you seek, record and manage consent and make changes if necessary to be GDPR-compliant. For many yachting companies, they may use third-party hosting or cloud services; the host may have a local address but the servers may be outside the EU. It’s vital that you review your contract to ensure they offer guarantees to meet GDPR requirements.
- Get your existing database up to GDPR standards now by adapting all of your opt-in processes and current privacy notices to meet EU regulations. If you intend to keep collecting emails, you will need to inform your subscribers who is collecting the data, how long you will hold their data and how you intend to use their data. Your consent requests should be separate from any terms and conditions and your privacy notice should detail why you are lawfully processing their personal data.
- Check your procedures to ensure they cover all individuals’ rights under GDPR, such as the right to access and right to delete their data.
- Consider whether you need to implement systems to verify individuals’ ages and obtain parental/guardianship consent for data processing.
- Ensure you have security measures such as encryption and policies in place to detect, report and investigate personal data breaches.
- Nominate someone to take control of data protection compliance. Your company may need to formally appoint a Data Protection Officer, dependent on whether you do large-scale monitoring of clients.
- If your yachting business operates in more than one EU member state (e.g. you undertake cross-border processing), you need to determine your lead data protection supervisory authority. This is important in the event of a data breach. You can determine how to choose your lead data protection supervisory authority via Article 29 Data Protection Working Party guidelines here (last updated February 2018): Article 29 Data Protection Working Party Guidelines
- Get up to speed with the Information Commissioner Office’s (UK) tools and guidelines to help you comply before 25 May 2018, refer to the link below in the Resources list.
- Train all staff to be aware of the risks GDPR breaches pose and the necessary procedures to comply. This should include regular audits of systems in place and how people interact with personal data.
A study of EU businesses says around 40% are unprepared or unaware of the implications of GDPR. It is going to mean some changes in the policies and procedures for many yachting companies, therefore there has never been a better time to start preparing your business.
This article is written by Rebecca Whitlocke for information purposes. For updates on the changes for GDPR, you can refer to these resources:
If you have found this post useful, please share it on social media.