The European General Data Protection Regulation and Webfleet
On 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into effect. The GDPR will replace existing national privacy laws across the 28 member states of the European Union. The GDPR can be considered as a replacement upgrade to these laws to include the latest opinions and judgements of the various regulators across the EU as well as the elements that are key in the online world we live in today. Effectively, this means that the majority of what is required already exists in law, so our opinion is that the GDPR should largely be considered as business as usual.*
Key elements in the General Data Protection Regulation
Like previous privacy laws and regulations, the GDPR is aimed at protecting the interests and rights of individuals, while their data is used for various purposes to serve them, and serve the interests of others, for economic benefit or for the public good. The GDPR is therefore highly relevant for consideration in the workplace environment.
Here we will present a few of the important new elements in the GDPR, which in our opinion, require particular attention from Webfleet customers:
- The individual, also as an employee, is front and centre
Empowering people regarding their data is key to the GDPR. After all, data from or about an individual is a reflection of their identity, their behaviour and their preferences: it is who we are. The GDPR determines that individuals must be fully informed in advance about what happens to their data: what data is used, why it is used, how long it is used and by whom it is used. They must also have an influence on that, e.g. either by giving permission, by engaging in a contract and, with some restrictions, by being able to have the use of their data stopped upon request.
- Accountability and risk-based approach
If, as a business, you decide what happens to data from individuals, you must step up to that responsibility and be able to demonstrate you do this properly, respecting the rights of the individuals as well as the GDPR. With everything you do with data, you must take into account the risks to the individual concerned. In our view, this requires the need to have documentation pertaining your activities regarding data and why you deem that data to be processed. The GDPR provides for a (part-time) Data Protection Officer to be appointed to oversee this if you meet the threshold for this in the GDPR (e.g. if your core activity involves monitoring people at a large scale).
- One-stop shop regulator
In our opinion, the GDPR was drafted to unify the previous and diverging privacy laws across the EU. That could be considered a plus for multi-national businesses using our services, especially those that have vehicles crossing boundaries. It also could mean that if you run a multi-national business across the EU, you will only have to deal with one regulator: the one in the country where your main establishment is. Likewise, individuals can liaise with the regulator in their own country.
- Stronger security requirements
The GDPR provides for data to be protected against all kinds of unauthorised use, based on an assessment of the sensitivity of the data. Location data is considered to be sensitive as it can reveal quite a lot about the individual. All of this requires technical and organisational security measures to be in place to mitigate the risks. If these measures fail and cause a security incident then depending on the severity, the GDPR provides for authorities to be notified within 72 hours. At this point, any “data subjects” i.e. persons with whom this data is concerned, should be notified if it is deemed that the incident has a significant impact on them.
The GDPR grants privacy regulators various powers of enforcement. One of these powers is the possibility to impose fines in case of non-compliance. The GDPR provides for such penalties to be as high as 4% of global annual revenue per incident, depending on the severity of the actual breach of the GDPR.
Broader elements of the General Data Protection Regulation, remaining from previous law.
The General Data Protection Regulation (GDPR) defines data as personal data of people in the EU and affects its use in terms of ‘processing’ which includes the collection, storage, transfer or use.
- Personal Data
Key in the GDPR is the notion of Personal Data. Essentially that is any data that can or could be related to an identifiable human being. This includes data that could be abstracted with unique identifiers such as number plates, a VIN (Vehicle Identification Number) and/or other device identifiers. It’s important in our view to consider that under the GDPR it does not matter who is actually able to identify. If someone can identify an individual from the data, the data has to be considered personal data even if actual identification is not performed at all. In our opinion, it is not required to know someone’s name in order for data about them to be considered personal data. It’s important to note that having personal data does not mean that it cannot be used, it just means the GDPR applies and certain conditions must be fulfilled.
- Predefined, specific purposes only
The GDPR provides for personal data to be used for one or more predefined purposes. These need to be specific and clearly described. The individual must be able to understand what a purpose means. An individual should be able to answer the question: does this use case indeed fit within the purpose?
- Fit for purpose & kind, volume and time limitations
The GDPR provides for personal data to be ‘rightsized’ in terms of kind, volume and how long it’s stored, based on the purpose that was defined. Rightsized means only process what is strictly necessary, not more or longer.
- Understandable explanation in advance
In our view, personal data processing requires a well-written, user-friendly explanation. Like a manual, not like a contract. Of course, the explanation must be available to the individuals before you start using their data and also remain available to them.
- Conditions for lawful processing must be met
In order to be able to legally process personal data, the GDPR requires a valid lawful basis to that extent. There are six available lawful bases for processing.
- Consent, where explicit permission is granted for a particular subject
- Performance of a contract
- Compliance with legal obligations
- Protection of vital interests of the subject or another person
- Necessary for a task to be carried out in the public’s interest or in the interest of an official authority.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller.
In our opinion, four out of six of these lawful bases are relevant to businesses; a lawful basis for processing data for Webfleet could be for example explicit permission. Please be aware that the GDPR does not require permission in all events, or is even desirable, particularly in employment relationships. The GDPR provides for personal data to be used without consent, to the extent this is needed to fulfil a contract with the counterparty. It could also be that a specific law exists that requires the use of personal data. In these cases, asking for permission is not required.
As per point 6 above, the GDPR also provides for personal data to be processed without asking for consent when you have a legitimate interest to do so. Typically, this relates to detecting fraud, abuse, security issues and business analysis. This may also apply to the work environment and relate to situations which are not covered by the employment agreement, such as the various purposes for which vehicle telematics is used. Yet in those cases, in our opinion, only collect the minimum data that is needed for the purpose (to minimise the impact on the right to privacy of the individual) and make sure it is clear this data collection complies with the GDPR.
- The individual's right to view, correct, object to, erase and download/transfer data
The GDPR grants rights to individuals when their data is processed. The GDPR provides for access and allows data subjects to view the data and obtain a copy. If the data is incorrect, they may request for correction. Such individuals also have the right to receive a machine-readable copy of the data as well as delete their data in case it was obtained and was used based on consent or associated with the execution of a contract.
- Protect confidentiality, integrity & availability with good security measures
Personal data must be kept secure according to the GDPR. That means, well-protected against unauthorised and unlawful access, use and loss. According to the GDPR, this must be done based on a risk assessment leading to appropriate technical and organisation measures on an ongoing basis. These are the Technical and Organisational Measures one must implement and maintain to this end.
Roles of the data processor and data controller under the General Data Protection Regulation.
At Webfleet, we help our customers to get closer to their drivers.
As a data processor, we act under the instruction of our customers to collect vehicle and driver-related information while we deliver our fleet management services through our hardware, we process this data and present it through our Apps, web-based user interfaces and APIs.
- Our customers use our products for fleet optimisation, some examples of the use/purpose are as follows:
- Vehicle tracking
- Driving behaviour monitoring and fuel saving
- Driver communication
- Tachograph and remaining driving time information
- Extensive management reporting for business optimisation
- Third-party solution integration
- What data do we collect and process on behalf of our customers?
- Transactional data: Data which is created by using our products, especially devices.
- User managed data and created content: Data which is created by users of Webfleet products.
- Aggregated data: Data derived from transactional data by applying statistical analysis.
For interactions with our customers, for example, personal data is collected on our website, Webfleet is a data controller of this data.
Webfleet, Data Protection and the GDPR.
At Webfleet we have studied the impact of the GDPR since 2012 when its first drafts were published. We have made it an integral part of how we have developed and evolved our Telematics offerings for our customers in the past years. To us, the GDPR is an evolution, not a revolution. To help with getting things right, we have established 5 core design principles:
- The Webfleet customer in the driving seat
Webfleet always operates under instructions from the Webfleet customer. The data relates only to the customer, the customer is in control. This means that we offer the customer a highly configurable solution. While we propose various purposes for which it can be used, the Webfleet customer takes the final decisions for what purposes it is used and how in detail you configure and operate the system.
- Respect other stakeholder interests
Our system can be configured to recognise many different stakeholders with different roles, responsibilities and capabilities in different situations. Webfleet customers, for example, can allow drivers to distinguish between business and private trips and supervisors of drivers can be restricted in what they can see and do. We also support the Webfleet customer in honouring the rights the individuals have, for example, with respect to the access and erasure of their data.
- Data, fit for purpose – no more, no less
Webfleet customers in various ways can configure what data is being collected and how long it is kept. To make it easier for Webfleet customers, we have included reasonable defaults, related to various use cases which our fleet customers typically have, but Webfleet customers are free to deviate from these default settings.
- If you cannot explain it, do not do it
We advocate ensuring everyone is on board with how their data is being used by providing explanatory materials, including online manuals and training materials, in simple easy-to-understand language.
- Detect and protect against misuse
Information security is key at Webfleet, which is externally verified and certified annually. Obviously, the best way to deal with a data breach is to not have one. Yet, accidents may occur and that is why Webfleet endeavours to have a robust incident response in place, which includes notifying you promptly and working with you towards resolution.
Download the GDPR Best Practice Guide for Telematics
Your comprehensive guide to best practice regarding the General Data Protection Regulation and Telematics, with a useful action plan to help you take the steps to become compliant.
Further information on the General Data Protection Regulation.
If you have further questions on the General Data Protection Regulation please contact us here.
Find out more about the General Data Protection Regulations form the European Commission and the Information Commissioners Office (ICO) by using the links below:
More information about Webfleet, Data Protection, Security and Privacy.
At Webfleet, we’re committed to the security of information and data privacy. We invest continuously in our engineering, proven technologies, processes and people to make sure we can always provide you with the most reliable telematics service on the market.
As one of the world‘s largest providers of telematics services, continual investment in our service is important. We’re always improving to make sure that we are the best partner for your business – now and in the future. For more information on data security and privacy of the Webfleet Telematics Service Platform, learn more here.