Operators of vehicles need to take action now to prepare for new legislation which will affect their data; waiting until the last minute is not a viable option. Helen Goldthorpe and Richard Wadkin from corporate law firm Shulmans LLP discuss how GDPR is set to affect the road transport industry.
As technology develops, an increasing volume of data is held across all areas of the road transport and logistics industry. Drivers, in particular, generate a huge amount of personal data from a variety of sources, such as telematics devices, handheld devices or in vehicle video and dash cams.
To effectively and compliantly manage a vehicle fleet it is necessary to use a wide range of personal data about drivers. However, a monumental shift is on the way in the rules governing the use of this information, which will have a big impact on operators moving forwards.
The General Data Protection Regulation (GDPR) is a new law relating to data protection, due to take effect on May 25 2018. This may still sound some way off, but significant steps are needed to ensure your business is fully compliant.
Many question whether the need for compliance with GDPR is still relevant, given the outcome of the Brexit referendum vote. However, the government has made it clear that it intends to propose a new Data Protection Bill which indicates the law will go ahead. Therefore, all UK organisations will need to comply with GDPR ahead of the May deadline, or risk being in breach.
Managing a fleet is virtually impossible without holding at least some data on individuals. This includes checking driving licence details, keeping records of vehicle usage and possibly the more detailed data that can be captured by telematics or recording devices. There is also potential use of data about third parties if they are involved in incidents with the vehicles, whether as part of a claim or because they are recorded on camera. It is common for personal data to be processed by or transferred to third parties, for example during the licence checking process, when dealing with any speeding or parking tickets, or in dealings with insurers.
This means that it is vital to work through how this data is used and safeguarded, and to make preparations to ensure that your business will continue to operate compliantly beyond May. Even organisations that are currently data protection compliant will have some adjustments to make.
In terms of the headline changes, GDPR gives individuals more control over how their data is used. It is important to be clear about the purposes of any data collected, as well as the safeguards which need to be put in place to protect it. Where you rely on consent to process personal data, you may need to be more explicit about how the data is going to be used at the time of obtaining consent, in order for the individual’s approval to be legally valid and informed. After GDPR comes into effect there will be ‘privacy by design’ and ‘privacy by default’ obligations that require businesses to minimise data and incorporate aspects of data protection into the planning of any new project or processing activity. In some cases, it may be necessary to carry out a formal Privacy Impact Assessment before introducing new types of processing data, such as the introduction of telematics or in-vehicle recording devices within a fleet. Whilst it is already important under current laws to consider the data protection implications of doing this properly, GDPR will impose an obligation to carry out a full assessment and, importantly, to document it.
Data Protection Officer
For some organisations, GDPR will require the designation of a Data Protection Officer (DPO) if they carry out regular and systematic monitoring on a large scale. Whilst this role may already exist in some form, GDPR imposes much stricter qualifications and experience requirements, meaning that simply ‘wearing this hat’ alongside a regular day job is unlikely to be sufficient. Recruiting or training a suitable individual should be an immediate concern, as in reality there are not enough adequately qualified specialists in the market to meet demand.
Another factor for consideration is that individuals are becoming more aware of their legal rights in respect of data protection, and the scope of these rights is increasing. Subject access requests are increasingly common with individuals wanting to know what data is held on file about them and their family. All organisations will need to have a comprehensive understanding not only of the data they hold, but also where it is stored. The deadline for complying with such requests will be reduced to 30 days once GDPR is in effect.
Failure to tackle GDPR in time for it to take full effect could lead to significant consequences for any organisation. The Information Commissioner’s Office (ICO) will be able to impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. In some cases, this can be up to €20 million, a steep increase from the current maximum fine of £500,000.
Perhaps more importantly, any step taken by the ICO can and will be published. This not only puts the organisation under the scrutiny of the ICO going forward, but puts any breach or investigation in the public domain. Where trust and safety are the foundation stones of your organisation, this reputational risk could have consequences far more damaging than any monetary fine. It is inevitable that such matters will also be considered by Traffic Commissioners when considering matters of repute in the context of an application for an operator’s licence and in considering action to be taken in respect of an existing licence.
With so much to consider regarding how GDPR will affect those who manage and operate transport, it is important to make a start now on understanding how your organisation uses and protects personal data.