EU General Data Protection Regulations

On 25th May 2018, the EU General Data Protection Regulations came into force in all EU Member States, including the United Kingdom. These regulations superseded the existing data protection legislation and introduced a more rigorous data protection regime.

The GDPR governs the collection, storage and handling of personal data, that is information which can be used to identify an individual natural person directly or indirectly. GDPR applies both to information emanating within the EU and also to data emanating from outside the EU once it is brought within the EU. This includes information such as their name, address, date of birth, medical records etc. and positive consent will generally be required from individuals to the collection, storage and processing of their data. The GDPR requires firms to take steps to protect individuals’ data that they hold in either physical or digital form, and to have appropriate systems and processes to govern the collection, retention and erasure of such data. Firms are obliged to report any data breaches to the Information Commissioner’s Office. The GDPR confers specific rights on individuals in relation to their data, subject to certain limitations. These rights include:

  • To be informed that their data is being held
  • To have access to their data
  • To have errors in their data rectified
  • To have their data erased
  • To restrict processing of their data
  • To object to the holding of their data

GDPR has a significant impact for companies in the EU that hold individuals’ data either as employers or as part of their business, and affects the way that the UK Club and the Managers handle Members’ claims. If Members have questions regarding the GDPR they may contact the Club’s Chief Operations Officer, Philip Clacy ( or their usual Club contact.


Date: 18/12/2017
Source: 2017 The Security Awareness Company, LLC.

What is the GDPR?

On April 8, 2016 the European Union adopted a new regulation called the General Data Protection Regulation. It replaces the EU Data Protection Directive and applies to all member countries without the need for national legislation. After four years of discussion and amendments, the regulation officially takes effect on May 25, 2018 and places the EU at the forefront of data protection standards.

What does the GDPR do?

The EU Data Directive, established in 1995, was a great step towards protecting the personal information of EU residents, but because it wasn’t normalised across all member states, there were inconsistencies that made it difficult for organisations to operate in multiple states. The GDPR addresses that shortfall by defining specific standards for the protection of data as required for all data controllers, regardless of location. Ultimately, the end-goal of the GDPR is to make regulation easy for data controllers around the world to follow, while also maximising the protection of data for EU residents.

What is Personal Data?

Article 4 of the GDPR defines personal data as:

“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

What does the GDPR require of organisations?

In order to comply to the full scope of the GDPR, it is recommended that organisations seek legal counsel.
At a minimum, here are a few high-level action items:

  • Get consent: A data controller must be able prove that consent was given by the data subject.
  • Conduct a Data Protection Impact Assessment: It’s important to assess privacy risks of processing personal data of individuals.
  • Where appropriate, appoint a data protection officer: This person is responsible for overseeing compliance and data protection strategies.
  • Be prepared to report data breaches: Under the GDPR organisations must report a breach within 72 hours.
  • Maintain records of processing: Article 30 states that controllers “shall maintain a record of processing activities under its responsibility" and defines seven types, which can be found here:

Failure to comply

Organisations that fail to comply will face significant fines—as high as four percent of the organization’s annual revenue. Furthermore, individuals may take action against any entity that improperly handled their personal data.

More information on GDPR can be found here on the Club's GDPR page.

Emergency Contacts

If you need to call our offices out of hours and at weekends, click After Office hours for a up to date list of the names of the Duty Executives and their mobile phone numbers. 

Ship Finder

This Ship Finder is updated on a daily basis. Members who need to advise the Club of updates to their recorded ships' details should advise their usual underwriting contact.

You are currently offline. Some pages or content may fail to load.