What is GDPR?
The GDPR became effective on the 25th May 2018 (replacing the current EU Data Protection Directive) and is the most significant piece of European data protection legislation to be introduced in 20 years. The legislation has a global impact and applies to organizations outside of the EU that may be handling the Personal Data (as defined below) of EU residents (defined as Data Subjects). GDPR has also reshaped the way corporations around the world approach data privacy and has also strengthened the rights of people who may have their Personal Data processed or handled by other companies.
Both Data Controllers (Pisys Marine customers) and Data Processors (Pisys Marine who process data on behalf of our clients) have joint responsibility to abide by GDPR. Data Controllers must only use Data Processors who meet GDPR requirements.
GDPR Does Not Only Affect Companies in the EU
This is the main difference between the GDPR and the older EU Data Protection Directive of 1995. Any company that collects, processes, transmits or stores Personal Data of an EU Data Subject is bound by the GDPR, even if that company is located outside of the EU.
This applies to any company that:
- Collects or processes Personal Data from employees in the EU.
- Collects or processes Personal Data from people (non-employees) in the EU.
- Collects or processes Personal Data from people in the EU on behalf of another business.
Is Pisys Marine a Data Processor or a Data Controller Under GDPR?
Pisys Marine is classified as a Data Processor under the GDPR when we process data on behalf of our clients as a service. Our clients are Data Controllers because they have the direct relationship and collect the Personal Data directly from an EU Data Subject.
Even then, Pisys Marine only receives a very small subset of Personal Data from our clients, and it is almost entirely related to a physical address or geographic location.
As a Data Processor, we do still have an obligation to protect the client data we receive, which is why we have implemented data protections when receiving client data to build privacy by design into our systems and data handling processes.
GDPR is Important to Pisys Marine
Location data such as farm holdings in UK may be considered Personal Data by our clients, but it is important to understand that some of these aspects are important in the work we do.
There are direct implications and obligations for Data Processors of Personal Data. Data aggregation and anonymization are tools used to minimize the risk of processing and sharing such data.
We are committed to working towards a shared operating model with identified requirements so ALL stakeholders are comfortable sharing valuable data insight.
Does Pisys Marine Have a Designated Data Protection Officer (DPO)?
Fulfilling the DPO requirement for GDPR does not require a statutory DPO function to be assigned to a single individual. However, Pisys Marine may work in conjunction with a data privacy governance board if required, will help address all privacy and data protection issues for the purpose of GDPR compliance.