Preparing for data protection: GDPR readiness in the cruise industry

Taking control of your data is critical, says Lee Clarke regional director for the Northern Hemisphere at Dynama. Here, he assesses the implications of stricter data protection legislation on the cruise industry and offers a survival guide for today’s fastest growing leisure sector.

ew legislation that overrides national data protection laws comes into effect on 25 May 2018. European General Data Protection Regulation (GDPR) is the latest hot topic across a wide range of industries, but what does it really mean for the cruise industry?

GDPR seeks to broaden the scope of personal privacy laws and protect the data rights of European Union (EU) citizens. Individuals will have far greater control over who has their data and how it will be used. Regardless of where the company head office is registered or where corporate accounting takes place, for organisations operating cruise ships visiting European ports, employing European crew and processing EU residents’ personal data, it’s time to prepare for GDPR.

Cruising is today’s fastest growing leisure industry and with that accolade comes responsibility for managing infinite numbers of passenger records as well as crew member details. The introduction of GDPR will require organisations to report on data breaches within 72 hours, putting enormous pressure on new expanding businesses operating in a highly competitive marketplace.

Worldwide statistics suggest that data breaches are a growing concern. According to digital security experts Gemalto, there were 974 publicly disclosed data breaches in the first half of 2016 which led to the theft or loss of 554 million data records, a 31% increase over the previous six months.

Moreover, just as cruising is becoming even more popular and cruise ship order books are at an all-time high, financial penalties for GDPR non-compliance are a scary prospect. Those who fail to deliver face a fine of €20m or 4% of their global annual turnover (whichever of the two is higher). For most companies, this could signal irreparable damage to their corporate reputation or even put them out of business altogether.

All sounds a little frightening? The truth is those who tackle GDPR head on have nothing to fear and everything to gain in terms of new levels of customer loyalty based on greater transparency and deeper trust.

Samsung-designed smart bracelets connect to the MSC for Me system. Image courtesy of MSC Cruises

Preparing for GDPR readiness: improving data control

Achieving GDPR readiness depends on good preparation. Getting good advice is essential but what can you do to prepare in the meantime? Why not begin by taking the following three steps:

KNOW YOUR DATA – it might sound obvious but it is surprising how many companies fail to identify and classify their guest and crew data:

  • What type of data is held?
  • Where is it located?
  • What levels of security are required to keep it safe?
  • Who has access to the data?
  • How is it used?
  • Most importantly, have passengers and crew given their consent to its use?

MAKE DATA CONTROL PART OF THE JOB SPEC – if the company is big enough or budgets allow, you may be advised to hire a dedicated data protection officer who oversees the establishment of control and processes necessary for data protection and privacy. Regardless of your approach, creating consistent processes that are clearly communicated throughout the organisation and form part of working practices can help to ensure data security is a priority with all staff and crew whatever their role.

GOOD TRAINING IS ESSENTIAL - staff should know about GDPR and the impact on their role; the risks to the organisation, in terms of reputation and financial damage and ultimately that there may be disciplinary risks to individuals if things go wrong. Regular updates should be relevant, reasonable and practical, i.e. how to deal with passwords, destroying data, sending emails and attached files, etc.

Samsung-designed smart bracelets connect to the MSC for Me system. Image courtesy of MSC Cruises

Make technology your new best friend: Improving compliance with automation

Relying on spreadsheets or purchasing ‘bolt-on’ IT systems is no longer enough to cover up the cracks of lazy data management. Being ready for GDPR isn’t just about finding data and making sure it is secure, it’s about capturing the context of that data and being able to prove that everything is being done to protect crew and passengers’ personal information at all times.

Automation is the way to go and, fortunately, the latest workforce management technology goes beyond ensuring the right crew members are on the right ship at the right time. Use technology as an all-round strategic data management tool to release the following benefits:

SPEED AND EFFICIENCY –Automation and centrally stored information will also remove duplicated effort, reduce administration, time and staff costs.

INTEGRATION – an organisation wide active directory guarantees the security of all login credentials, the crucial first step to securing crew and passengers’ details.

SOPHISTICATED SECURITY – keep both crew and passenger details safe by setting up a well-defined security model that controls how data is segregated and who has the authority to access, use and change it. Customer screens can be configured to ring-fence any sensitive data that passengers choose to store, credit card details for example. Similarly, personal information such as address details can be anonymised or hidden from view when not required for personal identification but are still retained in the original records for auditing purposes.

ADVANCED REPORTING CAPABILITIES – the ability to report on data quickly and then translate it into highly visual, easy-to-grasp representations in a variety of formats is invaluable to supporting requests for information from GDPR assessors, often at short notice.

EFFECTIVE COMPLIANCE MANAGEMENT - clear visibility of critical data and the automatic recording of all changes made to data provide a valuable audit trail with the hard evidence to aid compliance with GDPR legislation and so minimise the risk of financial penalties.

NO MORE SILOS – automation encourages consistent ways of working across departments and the organisation as a whole. For example, it is possible to build a GDPR process into the system that is easy to follow and includes how to spot and deal with potential data breaches.

ACCOUNTABILITY – the latest solutions are simple to use, interface with a variety of mobile devices and are highly configurable. They empower crew members to own data and make sure it is accurate, trustworthy and accessible. They also flag up potential critical issues, making it possible to take proactive remedial action to avert crisis situations.

CONVENIENCE AND SCALABILITY – the flexibility of a future-proof system enables users to consume and manipulate data in a more connected way, whether an organization has just one cruise ship or an entire fleet. It can quickly adapt to changing GDPR requirements and associated in-house processes as they occur.

Start now! The more advanced an organization is along the way to GDPR compliance, the lower the risk of breaches occurring once GDPR comes into play. Seek professional advice and be prepared internally with a data asset register, robust processes and training then wrap them up with the right technology to create a best-practice data governance framework.

Who knows, the reward could be the added bonus of greater passenger satisfaction, trust and customer loyalty.

Dynama does not offer legal advice or GDPR consultancy.

Cover image is courtesy of mariakraynova / Shutterstock.com