With the GDPR upon us, the chequered flag for compliance has been waved for fleet operators.
Businesses and their supply chains must ensure they have the appropriate infrastructure, procedures and culture in place if they’re to avoid infringements.
The good news: for many it will largely be a case of business as usual as the majority of the GDPR requirements are already covered by existing European data privacy laws. Yet there’s still some key changes for you to be aware of if you’re responsible for a fleet.
The role of fleet departments in compliance
Although fleet departments will rarely shoulder ultimate responsibility for compliance, they will have an important part to play ensuring that driver data usage is lawful, there’s a documented audit trail, responsibilities are clearly communicated and fleet supplier relationships are managed.
In some quarters, the lawful basis for processing data under the GDPR, such as that generated by telematics systems, may lead to confusion but fleet operators will often find they have either a legitimate interest or a contractual justification for doing so.
Below we provide you with an at a glance summary of the key changes fleet operators should be aware of.
Greater emphasis has been given to the rights of the individual
Company drivers, along with other employees and relevant individuals, must be fully informed in advance about how their personal data is used, why, by whom and for how long. Furthermore, processes should be in place that empower them in this area, allowing them to either grant permission or, with some restrictions, request that use of their data be stopped.
Fleet operators will often have a legitimate interest or a contractual justification for processing personal data. Legitimate interest may cover the likes of mileage data processing for leased vehicle contract management or driver behaviour data to protect drivers’ road safety. Contractual justification might include using telematics data to record drivers’ start and finish times.
All personal data risks must be mitigated
You have a duty to identify and mitigate the risks of personal data being misused. We believe this requires documentation outlining how and why you’re using personal data. From a fleet perspective, this data might include drivers’ GPS location data, their driving hours, medical conditions relating to ability to drive or performance and disciplinary information.
You now only defer to a single regulator
Dealing with just one regulator with regards to data protection could prove a big advantage for multi-national fleet companies. For fleets operating vehicles across country borders, it also means being governed by just one set of laws – the country where they’re headquartered. It also means drivers can liaise with the regulator in their own country.
Data security requirements have been strengthened
Greater protection is now afforded to wider unauthorised use of personal data, taking into account the new digital environment. This protection is based on an assessment of the sensitivity of the data in question. From a fleet perspective, sensitive data might include anything from speeding tickets to the GPS location data generated by telematics systems.
Fleet operators should review the GDPR compliance of their suppliers and seek out those with demonstrable competence, such as certification to ISO 27001.
Heavier fines for non-compliance
The cost of failing to comply with GDPR can be huge, and in some cases could prove business critical. Infringements can result in maximum fines of €20 million or 4 per cent of annual turnover – whichever is higher.
Want to get all the information on what the GDPR means for you and your fleet? Then make sure you check out our free guide to the GDPR.