On 25 May 2018, the EU General Data Protection Regulations (GDPR) come into force, representing the biggest update to UK data protection in 20 years.
But what does it mean for fleet managers?
Firstly, it can’t be ignored, as compliance is a statutory requirement. And, as most fleet managers deal with ‘personal data’, more widely defined under GDPR, they should understand how the changes affects them.
Despite its complexity, GDPR is an evolutionary change and so many operators should be able to adapt current data protection frameworks, rather than reinvent them. But there are some key differences.
GDPR extends the definition of personal data to include digital identifiers such as IP addresses as well as pseudonymised data that can be linked back to individuals.
Identifiers in telematics systems that correlate data and drivers, including information on location, speed or driving events, may thus be personal data.
This has implications for operators as individuals have new rights over personal data, including the right to be informed of the data being captured, to have access to it, to rectify false or erroneous data, and to seek erasure.
Lawful basis for processing data
In order to deal with personal data, operators need a lawful basis for processing it.
Several options are available as the basis for processing, including driver consent; the performance of a contract; compliance with a legal obligation; to fulfil a task in the public interest or to pursue legitimate interests.
Most operators will probably avoid gaining driver consent and instead utilise legitimate interest or the performance of a contract.
Driver consent is not required if, for example, data is being used for payroll purposes.
If an employee is paid for driving time and telematics data is used to record these times, then processing is covered by the contract of employment. Such use falls under the exception of processing for the performance of a contract and driver consent is not required.
Where relying on legitimate interests, operators must ensure that decision-making in relation to the balance between the interests of the operator and the rights of drivers is documented. Operators must also ensure that drivers would reasonably expect their data to be processed on the basis of the legitimate interests of the operator, which could include fraud prevention, security and safety, amongst others.
In the absence of a contractual or legitimate interest basis, operators must seek driver consent, which has to be specific, unambiguous and freely given. Drivers should know what is captured and why, as well as what happens to it, and who it will be shared with.
Such consent should be documented and ideally incorporated into employment, supplier and driver contracts, as well as procurement T&Cs. Building consent into these procedures should reduce the risk of future conflicts.
“It will be essential for fleet operators to keep audit trails to evidence that specific and unambiguous consent was freely given”
GDPR includes provisions for accountability, governance and transparency, so operators should have documented measures, such as privacy impact assessments, and should adopt ‘privacy by design’ principles. This applies to any data associated with drivers, including that from telematics or fleet management systems.
Fleet data should be managed with due consideration for security. Operators should consider whether their suppliers are GDPR compliant and seek out those with demonstrable competence, such as certification to ISO 27001.
‘Scare stories’ about the impact of GDPR abound. However, with adequate preparation and support from colleagues in legal, HR and procurement, operators should be able to adapt their policies and procedures without insurmountable difficulty
Further information and guidance can be obtained from the Information Commissioner's Office.