Djamel Souici, Group General Counsel, Masternaut
On the 25th May this year, the General Data Protection Regulation (GDPR) came into effect, but it remains a hot topic for many organisations. GDPR refers to a new governance, designed and developed by the European Union, which aims to strengthen and unify data protection laws consistently throughout the EU.
Organisations established in the EU and companies who process personal data of EU citizens are both required to adapt to and comply with the new regulations. Failure to do so could result in administrative fines of up to €20million, or 4% of annual global turnover. Whilst these new regulations have caused some consternation across many industries, the implementation of GDPR is mutually beneficial, as it aims to support and improve the data rights for all EU residents. Essentially, it will increase transparency by allowing individuals to control any personal data held against their name.
When it comes to fleet management, operators should be aware that the way driver data is defined and managed will need to be brought into line with the new standards. The definition of personal data has been expanded so that it includes everything from the driver’s name, identification number and address, to the data that is held on telematics systems. As a market-leading provider of vehicle tracking and telematics solutions, Masternaut is well placed to consider three of the most common questions asked by fleet operators on how GDPR will impact their day to day operations.
How can fleet operators identify a legal basis for data processing?
Any fleet operator managing personal data is required to identify a ‘legal basis for processing’ according to GDPR. Whilst many organisations have assumed that driver consent is the only way to legally process their data, this is arguably the least suitable option. There are a number of other options, which for many fleet operators, offer a better ‘legitimate basis’ for processing:
- The performance of a contract – e.g. when telematics devices are used to record driver working hours.
- Compliance with a legal obligation – e.g. to protect the interests of the data subject (i.e. the driver).
- To fulfill a task in the public interest – e.g. if a task is being carried out for the benefit of the general public.
- To pursue legitimate interests – e.g. there is a mutual interest between operator and driver, such as fraud prevention, or safety.
It is essential that fleet operators find a happy medium between the interests of its business operations and the rights of driver. Regardless of the method chosen for data protection, drivers should be kept well-informed about the new procedures, as GDPR places great emphasis on transparency in data collection and processing.
How will the new regulations affect fleet operations? As noted, GDPR places great store in transparent data collection and that the processes associated with this are well-documented. Whilst the role of the driver in a fleet operation is unlikely to change, the fleet operator or manager will need to adapt to the new processes.
Any information captured from drivers should be justified and documented e.g. why the operator needs the information, what will happen to it, who will be able to access it and how long it will be stored. For organisations with over 250 employees, all processing activities must be recorded in writing and electronically, including the following details:
- Name & contact information of the data controller & of any recipients of the data
- The purpose of processing this data
- The categories of the data subjects/personal data being recorded
- Whether the data is being transferred to external countries/international organisations
- The data retention times
- An outline of the technical and security procedures in place to protect data
What should businesses look for in a telematics service provider?
When it comes to selecting a telematics vendor you should choose a reputable supplier that handles personal data in a way that is fully compliant with GDPR. Not only is a good understanding of GDPR essential, your service provider should have robust data security, so you can rest assured that any data is fully secured.
Finally, you should ensure that your telematics provider processes, stores, manages and backs-up all data within the EU/EEA, or has an equivalent level of protection in place, such as the ‘Privacy Shield’ arrangement in the USA.
Despite the challenges that have been associated with the preparation for GDPR, this significant update in data protection regulation represents a major step forward for individual rights. The new rules are not designed to “trip up” business but are being implemented to protect personal data in a far more comprehensive and holistic manner.
Compliance is simply an extension of existing best practice.