Top tips for fleets on how to address GDPR
With changes to the way businesses handle your data due to be enforced by the EU soon, the advent of General Data Protection Regulation (GDPR) will strengthen and unify data protection while also addressing the export of personal data outside the EU.
Due to come into law on 25 May, GDPR builds on existing data protection legislation with a particular focus on digitalisation and technology. GDPR reforms those and introduces new principles of transparency and accountability with the ability to prove consent being a significant pillar of the new regulations.
Penalties for breaching the core principles of GDPR are potentially huge with a maximum fine for companies of €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is the higher.
As there is much confusion doing the rounds regarding how this will affect fleets, the Association of Car Fleet Operators (ACFO) has outlined a five-point action plan to help fleet professionals comply with new GDPR rules.
ACFO says fleet decision-makers need to review and check all data collection and whether all information gathered is required. Furthermore it is critical to engage with all employees - company car and van drivers - as well as employees who drive their own cars on business, the so-called ‘grey fleet’.
As GDPR put employees front and centre, they needed to be fully informed and advised about what data of theirs has been captured, how and where it was being used and by whom.
ACFO’s five-point GDPR action plan for fleet decision makers
- Know what personal data is held including: Drivers’ name, home address, contact telephone numbers, driving licence details, National Insurance number, payment, bank and family details.
- Who has access to the data? GDPR is not just fleet. Many employers have working parties established to confirm what data they have and how it is used, but if that is not the case then check who can access the data that is held for fleet purposes.
- What data is passed to suppliers/contracts by fleet professionals? Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. Most suppliers will be well advanced, but if ‘no answer’ is obtained action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.
- What to tell drivers and make sure they understand where the data is, where it is being used and what is happening with it. For example, if is difficult to order/deliver a car if the supplier is not provided with name and address details.
- Deleting data loaded on to vehicle systems. Satellite navigation systems and mobile phones contain a wealth of data. It is vital to remind drivers to delete the data or reset to ‘factory setting’ ahead of defleet of a company car or the return of a hire vehicle.
ACFO chairman John Pryor said: “Fleet managers will already be doing much of what ACFO is recommending because it is common sense and good business practice. But GDPR brings more business focus.
“GDPR is process driven and while much of what is being asked for is already being done by fleets under the new rules it is important to have policies in place.”
Data recorded by in-vehicle telematics is perhaps the area of most concern for many fleet professionals as it captures information related to individual driver behaviour and technology.
“If vehicles have telematics fitted, fleet managers should be clear on what the information is used for and who receives it. This will be more sensitive if a driver says they do not want it used. In this case the company needs to be clear and managers should get internal guidance on the position,” added Pryor.
Impact of GDPR on DVLA changes
Ahead of GDPR coming into effect on 25 May, the DVLA has announced that driving license consent forms typically used by fleets will have to be changed to fall in line with this new data protection legislation.
As licence checks form an integral part of what fleet managers need to do to ensure they cover their duty-of-care, anyone who manages employees who drive on company business (be that cars, vans, minibuses, HGV’s) will need to ensure they are fully compliant with the new processes..
Any companies using paper consent will have to update their processes due to the new GDPR legislation. This also means any driver that has previously signed a consent form will also have to re-sign the new fair processing declaration.
Kevin Curtis, managing director of Driving Monitor, said, “With GDPR it’s much clearer how we need to be handling data processing for driving licence checks. It’s good news that the DVLA have looked into this and updated the consent forms that drivers would need to sign.”