Risk assessment of data protection in the maritime industry using system-theoretic process analysis

Abstract

The maritime industry is one of the most hazardous industries in the world. Risk assessment is applied in various contexts within this industry to prevent hazardous situations affecting systems and humans. Risk assessment in the maritime industry relates to accident situations and cybersecurity. In addition, many industries have studied data protection to mitigate risks associated with their customers’ personal data. The maritime industry has collected a significant amount of personal data within its systems, including passenger information, cargo details, and ship location data. Data protection assessment is a significant issue to security and privacy enhancement. In terms of data protection, The General Data Protection Regulation (GDPR) outlines risk assessment provisions in Article 35 (Data Protection Impact Assessment, DPIA), setting the standard for all industries. The risk assessment method is not specified as it depends on the organization's context and other related factors. System-Theoretic Process Analysis (STPA) is chosen and applied with DPIA as the assessment method in this study through a comparison with other methods commonly used in the maritime industry. STPA identifies risk causes in systems and human interactions, guiding mitigation efforts. This research aims to assess risk in data protection by applying STPA with DPIA for regulation alignment. The outcome shows the STPA approach in data protection assessment with four steps of analysis. This generic approach will enhance the processing of data protection in the maritime industry, both in operations and assessment, which could be applied in real business in the future.