On May 25 this year, the EU General Data Protection Regulations (GDPR) will come into force, marking the biggest change to UK data protection legislation in two decades. The update will impact businesses and workers across all sectors, including fleet managers. Today, to manage a fleet of vehicles and drivers effectively, you need data, and much of it comes under the ‘personal’ category. And, seeing as GDPR compliance will be a statutory requirement, it’s crucial you understand what actions to take.
Adapting, not starting again
Firstly it’s worth noting that, despite its complexity, GDPR is an evolutionary change – meaning most fleet managers, and others who are used handling personal data on a daily basis, will be able to adapt their existing data protection protocols rather than reinvent them completely. That said, there are a few major differences to be aware of.
Defining personal data
It’s never been all that clear what constitutes ‘personal’ data, and GDPR is going to make defining it even more difficult. It extends the definition to include digital identifiers and nameless data that can be linked back to individuals – such as your drivers. This means any information you keep on location, driving behaviours and speeds could be considered personal data. And, seeing as individuals now also have more rights over their own personal data, you may have to adjust your processes slightly. Drivers, for example, will have the right to know what details are being recorded, to have access to that data, to rectify false information, and even to seek deletion.
Consent may be needed
All of that said, it’s not a given that you need consent from your drivers to keep data on them – it depends what you’re using it for. If, for example, you’re taking telematics data on driving times for payroll purposes, the process should be covered by the worker’s employment contract. Other lawful grounds for data processing include: Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). Vital interests: the processing is necessary to protect someone’s life. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) If your data collection doesn’t adhere with any of these situations, you will need explicit consent from your drivers. If that’s the case, be open about your reasons, explaining the benefits to all parties clearly – and keep audit trails to avoid legal action.
Are your suppliers in check?
GDPR will affect you as a fleet manager, but it’ll also impact your suppliers too. Soon enough, companies will start shouting about their GDPR-compliance, but be sure to consider whether the firms you already work with – technology providers, for example – are adhering. Certifications like ISO 27001 will help here. Having to adjust may seem like an inconvenience but the GDPR changes are designed to help all individuals, including you and your drivers, safe and secure. If you’re already data conscious, it shouldn’t take too much to evolve. More information on the update is available from the Information Commissioner’s Office (ICO)