28 March 2018
What does GDPR mean for fleet managers?
On May 25 this year, the EU General Data Protection
Regulations (GDPR) will come into force, marking the biggest change to UK data
protection legislation in two decades.
The update will impact businesses and workers across all
sectors, including fleet managers. Today, to manage a fleet of vehicles and
drivers effectively, you need data,
and much of it comes under the ‘personal’ category. And, seeing as GDPR
compliance will be a statutory requirement, it’s crucial you understand what
actions to take.
Adapting, not starting again
Firstly it’s worth noting that, despite its complexity, GDPR
is an evolutionary change – meaning most fleet managers, and others who are
used handling personal data on a daily basis, will be able to adapt their
existing data protection protocols rather than reinvent them completely. That
said, there are a few major differences to be aware of.
Defining personal data
It’s never been all that clear what constitutes ‘personal’
data, and GDPR is going to make defining it even more difficult. It extends the
definition to include digital identifiers and nameless data that can be linked
back to individuals – such as your drivers.
This means any information you keep on location, driving
behaviours and speeds could be considered personal data. And, seeing as
individuals now also have more rights over their own personal data, you may
have to adjust your processes slightly. Drivers, for example, will have the right
to know what details are being recorded, to have access to that data, to
rectify false information, and even to seek deletion.
Consent may be needed
All of that said, it’s not a given that you need consent
from your drivers to keep data on them – it depends what you’re using it for.
If, for example, you’re taking telematics data on driving times for payroll
purposes, the process should be covered by the worker’s employment contract.
Other lawful grounds for data processing include:
Legal obligation: the processing is necessary for you to
comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect
Public task: the processing is necessary for you to
perform a task in the public interest or for your official functions, and the
task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your
legitimate interests or the legitimate interests of a third party unless there
is a good reason to protect the individual’s personal data which overrides
those legitimate interests. (This cannot apply if you are a public authority
processing data to perform your official tasks.)
If your data collection doesn’t adhere with any of these
situations, you will need explicit
consent from your drivers. If that’s the case, be open about your reasons,
explaining the benefits to all parties clearly – and keep audit trails to avoid
Are your suppliers in check?
GDPR will affect you as a fleet manager, but it’ll also impact
your suppliers too. Soon enough, companies will start shouting about their
GDPR-compliance, but be sure to consider whether the firms you already work
with – technology providers, for example – are adhering. Certifications like
ISO 27001 will help here.
Having to adjust may seem like an inconvenience but the GDPR
changes are designed to help all individuals, including you and your drivers,
safe and secure. If you’re already data conscious, it shouldn’t take too much
to evolve. More information on the update is available from the InformationCommissioner’s Office (ICO)