What is GDPR? It stands for General Data Protection Regulation, something the EU is introducing to even more robustly protect the privacy and personal data of its citizens in a standardised way. After the UK has left the EU through Brexit, our government is expected to maintain a framework very similar to GDPR.
Any organisations with over 250 people as well as certain smaller entities that regularly collect information about EU citizens will need to comply with the new GDPR rules by May 25th 2018.
Breaching compliance could see an organisation fined up to €20 million or 4% of its previous year’s global annual turnover depending on the nature of the transgression. Only children aged 13 or over will be legally able to provide their own consent when GDPR comes into force.
What GDPR implications do fleet managers looking after numerous cars and vans need to consider in light of one of the new law’s key changes making organisations responsible for data protection breaches no matter where they occurred in the supply chain, while sharing the responsibility around anyone who handles data?
For businesses that already take data protection seriously and have suitable systems and processes in place, GDPR isn’t something to be frightened of and shouldn’t cause massive amounts of extra work.
The first step for any organisation with a vehicle fleet is to evaluate its complete supply chain and map all data-flows throughout its operations, assessing who processes data at each point and whether each link is secure.
All manner of business communication and data-transfer comes under GDPR’s remit, from accounts and payroll systems and CRM information to seemingly innocuous emails, meaning that all staff will need to be careful to avoid something seemingly trivial such as accidentally copying an unauthorised person into an email thread. It’s just common sense, really.
Desktop and cloud fleet management software such as Chevin FleetWave Essentials that a number of our clients use contains a mountain of personal information from addresses, dates of birth and relationship statuses to vehicle details and driving licence data including convictions. GDPR’s definition of personal data is much wider than the EU’s previous data regulations, with IP addresses even now included, so the broad remit will likely mean that locations, timestamps, speed and other data from telematics systems will now be considered as personal data.
Specific, unambiguous and freely-given driver consent to their information being collected and processed will need to be provable. Equally, a data controller’s lawful reasons for doing so will also need to be justifiable. Reasons can include an organisation’s need to track fuel costs, monitor and reduce fleet CO2 emissions, and work to improve its drivers’ safety.
However, fleet managers will almost certainly be able to use existing employment contracts or payroll records as consent, while for jobs that require driving, such as a salaried courier, data processing will come under the justification of ‘performance of a contract.’
The BVRLA recommends that fleet operators should keep an audit trail as evidence that acceptable consent has been given, the focus going forward being on affirmative action rather than the pre-ticked boxes that some entities have relied on until now.
Responsible for monitoring data prospection and prosecuting flaunters, the Information Commissioner in Wilmslow urges companies to make their people aware of GDPR as a first step. Privacy notices, procedures for handling requests from data subjects, consent processes, the relevance of currently-held data plus steps for handling breaches need to be reviewed and if necessary updated prior to May 25th 2018.
Under GDPR, fleets themselves will be responsible for information and data rather than their suppliers such as telematics, dash-cam or in-cab camera providers. The press has been discussing GDPR for several months so it’s unlikely that such suppliers will be resting on their laurels, instead ensuring that their systems are GDPR compliant as soon as possible ahead of the date the new laws come into effect.
Fleets that carry out licence-checking themselves or via an external agency will need to take steps to ensure that driver data confidentiality is maintained, and fleets that utilise telematics systems will need to ensure that drivers’ personal data is private in cases where different staff drive the same vehicle from time to time. Steps will also need to be in place for the de-hire or de-fleet stage when a vehicle is taken off the fleet for sale or return to the leasing company.
In this age where ‘big data’ collected from vehicles and countless other sources is being utilised to great effect by many organisations, fleets and other firms are encouraged to embrace the introduction of GDPR as an opportunity rather than an inconvenience or burden.
For car and van leasing packages and fleet management services, get in touch with our contract hire team at your convenience.