GDPR: The Fleet Industry Guide To General Data Protection Regulation
2018 seems to be the year where we’re eating, sleeping and breathing GDPR. We are currently in a period of preparation before the GDPR rules come into effect on the 25th May 2018. Whilst everyone knows we all need to knuckle down and check we’re compliant as data is the heart of all our services, many of us are still trying to comprehend what all this means.
The major question at the forefront of everyone’s mind is how will this impact the world of Fleet? In this blog we aim to take you through the key changes and the simple steps you can implement to be ready and compliant.
GDPR – What data matters?
The GDPR only applies to data relating to individuals, it does not relate to businesses. So “personal data” and “sensitive personal data” - any information that allows an individual to be directly or indirectly identified such as names, numbers, genetics as well as location and online identifiers apply to the GDPR legislation. What you may not know is business data such as business name and address, number and info@email all fall outside of the GDPR.
Whilst this is the case and there is ambiguity around the subject it appears that personal email addresses and signature names at the bottom of emails are considered “personal data”. So, this data must be processed in compliance with the GDPR rules.
The European Union are upping their game about companies collecting consumer data with the aim of protecting all EU citizens from privacy and data breaches.
In a nutshell, “You must have a valid lawful basis in order to process personal data” – The ICO. This is particularly important in today’s increasingly data-driven fleet industry, which if you were to take a time machine back to 1995 when the laws were first established, would look very different.
Essentially data can be processed lawfully under 6 different categories.
EU citizens will have more control over their personal data. If you want the consumer data, you’ll have to ask for explicit consent from the individual, simple!
The conditions for consent have been strengthened, more emphasis has been placed on the “opt-in” process. Consent must be clear, concise, easy to understand and plain English as well as easy to withdraw consent as it is to give it. Companies can no longer use illegible terms and conditions so make sure yours adhere to this new law.
Contract / Legal Obligation / Legitimate Interest
It is likely that the majority of the industry see Contract / Legal Obligation and Legitimate Interest as the lawful basis of processing data. Fundamentally, it allows you to process personal data on the grounds that your organisation is working towards the legal obligation, contract or legitimate interest of the individual.
Contract / Legal Obligation example - providing a service they are entitled to within a contract.
Legitimate interest example - your organisation offers fleet management services and you collect and process data relating to fleet managers on the basis that the individual is likely to have a legitimate interest in your services.
This is the case as long as the data processing doesn’t infringe on the rights and freedoms of the data subject (individual) and you can prove the individual in question could be likely to have legitimate interest in what you are contacting them for. Nevertheless, it is essential to provide an ‘unsubscribe’ method as the individual should always have the right to ‘opt out’.
It’s also important to consider when applying legitimate interest as the lawful basis of processing personal data, there is a responsibility to ensure that the rights and freedoms of the data subject are not compromised. Will processing data put that person in danger? Will it land them in trouble?
Historically the controller has always held the responsibility when it comes to data compliance. However, with the introduction of the new GDPR legislation things will be changing. Both the processor and the controller will now hold an equal responsibility. If the processor fails, this could have some serious ramifications to the controller too. It’s important for both the controller and their processors (suppliers) to work closely together ensuring the correct mechanisms, processes and systems are in place to protect data.
In the current Data Protection Act companies are only encouraged to report data breaches, however in the new GDPR any data breach where there might be a high risk to the rights and freedoms of the data subjects must be reported to the Supervisory Authority within 72 hours of becoming aware of the incident. Failure to do so will result in some hefty fines. This can be up to 4% of your annual global turnover or 20 million Euros (whichever is greater!). You can get fined for:
• not having sufficient customer consent to process data
• violating the core of Privacy by Design concepts
• not having your records in order
• not notifying the supervisory authority of data subject about a breach and not conducting impact assessments.
Remember these new regulations will apply to all countries who supply goods and services to an EU country.
Quite a bit to remember already? That’s why it’s important to start planning now.
Working with Third Parties
The goods news is you will still be able to work alongside them as you do now, but its wise to consider some extra cautionary steps to ensure compliance. Work with your suppliers to understand what they in place, identify how data is stored and transferred between your organisations currently, is it secure? Importantly ensure their policies aligns with your own.
In terms of fleet operators who utilise location-based data in their vehicles, businesses need to be explicit and let the driver know what the information is being used for and must not use the data for anything else. If a fleet is using geo-location to make sure drivers aren’t taking longer routes than needed the fleet manager will need to explain in full how the data is being used, as there will be a greater emphasis on things like ‘Opting-In’. The driver must give permission for the information to be used before the data is collected. This could include driver details such as driver name, address, geographical location, previous driving information, car registration, email address, racial or ethnic origin, date of birth amongst many others.
We must emphasise how important it is for businesses in the fleet industry to document all data processes and procedures associated with personal data throughout all departments, consider the purpose for sharing and retaining. By doing so you will be preparing your organisation and be in a strong position to demonstrate you have been proactive and thorough and in the event of an ICO investigation as they will assess the steps you’ve taken and the risk to the data subjects.
Data Protection Officer
In an early version of the GDPR there was a mandatory requirement for all organisations if they had 250 or more employees to elect a Data Protection Officer. However, what some people may not know this has now been rescinded.
It is now not mandatory to appoint a Data Protection Officer for all businesses with over 250 employees. This now relates to public authorities, or organisations that “carry out large scale systematic monitoring of individuals (for example, online behaviour tracking)”.
Whilst that is the case it is recommended for your organisations benefit that you do appoint a DPO as they will be responsible for the documentation process and critically GDPR compliancy.
Take the first steps… make your business aware…
Like with anything, the first step is to be aware of the facts and new laws coming into place. These guidelines can be found here.
Then prepare, prepare, prepare…
Preparation is key! The further in advance you prepare the better you’ll be able to adapt to the changes. To prove you are serious about GDPR you should generate policies based on the standards specified in the ISO 27001 and 27002. Your policies should include information security responsibilities for all parties involved, remember your strategy and policies will be unique to your business.
We recommend applying due diligence to your selected lawful basis for processing and possible personal data breaches. Identify all sources of data, how this is processed, where this is stored, how long it is stored for and how you transfer each data source. We have found that breaking it down to the 4 stages below has given us a clear guide on what we need to do:
1) Discovery – identifying the personal data the business holds and where it is kept.
2) Management – implementing rules on how personal data is accessed and used, data must be processed in a transparent way e.g. vehicle and driver data must be deactivated at the end of a contract or lease.
3) Protection – define security controls to prevent, detect and respond to data protection breaches.
4) Reporting – reporting any data breaches, maintaining required documents, delivering on data requests.
With less than 5 months to go it’s safe to say there’s a lot to do and not a lot of time. We have embraced the GDPR hopefully most of you will too.
For more information please contact us on 01202 626282.
Follow us on LinkedIn here.
DISCLAIMER: i247 Group is an outsourced fleet service partner providing driver support, fleet administration and online solutions to the leasing and fleet management industry. Whilst we have performed extensive research into the GDPR legislation and are happy to provide our working knowledge intended to help our clients to become better prepared we do not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own.