Everything fleet operators need to know to comply with GDPR
The General Data Protection Regulations (GDPR) come into effect on 25th May 2018, replacing the Data Protection Act 1998 (DPA).
While this will impact all areas of the automotive industry, it will have a particular impact on fleet operators due to the vast volumes of data handled through telematics and associated devices designed to track driving.
The key changes of GDPR
The new act reflects the changes in how businesses now gather, store and process data and was designed to unify data privacy laws throughout Europe. While it is important to study GDPR in its entirety, there are some key areas that will have a direct impact on fleet operators.
Expanding the definition of data
GDPR uses a more detailed definition of what can comprise personal data to reflect the modern changes in our use of technology. Something like an IP address (a number assigned to any device accessing the internet) can now be considered personal data.
Privacy by design
Data privacy by design is an existing model, but this is the first time it has been put into legislation. It promotes the idea that security should be the main priority when developing new systems rather than an addition. Each component of the development should be scored according to risk. While this will be more expensive at the outset when designing systems, with security vulnerabilities already accounted for, this will mean fewer updates will be required.
While DPA only applied to data controllers, GDPR expands the liability to any party that handles that data, including data processors. This will apply regardless of the geographical location of the processor. This means that every area of the supply chain must take responsibility for compliance and you must be aware of the data any third parties are capturing in behalf of your business.
There are increased penalties for any failure to comply with GDPR. The maximum fines are now up to 4% of annual turnover or 20 million euros – whichever is greater. For violations in processing internal records, the fine can be 10 million euros, or 2% of annual turnover.
Data subjects now have the right to be forgotten. This applies if data is no longer being used for its original purpose, meaning that fresh consent must be sought if they want to change the way data is used. Data must also be deleted at the request of the data subject.
New rules on consent to process
A high standard of consent is required for the right to process personal data. The burden will be on the data controller and processor to ensure that a legal standard of consent has been given. A proper audit trail will be required in order to prove that permission to use data was achieved unambiguously. This means that forms can no longer simply include pre-ticked boxes, as an action will be required from the data subject.
What should fleet operators do to ensure they are compliant with GDPR?
All members of the business should be given appropriate training to ensure they fully understand the six principles of data protection. These are:
- Data must be processed lawfully, fairly and in a transparent manner.
- Data must be collected for specified, legitimate and explicit purposes.
- Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Data must be accurate and, where necessary, kept up to date.
- Data must be kept in a form that permits identification of data subjects for no longer than is necessary.
- Data must be processed in a way that ensures appropriate data security.
While there are changes coming, as fleet operators handle a lot of data, the operators should already be following data protection best practice. However, it will be vital that that all key stakeholders are appropriately briefed on their responsibilities in relation to GDPR and infrastructure should be reviewed to ensure they are able to handle any increased demands.