Back
The Quick Guide to GDPR for Fleet Managers
18 June 2018
From Facebook to your local green grocers, GDPR affects pretty much every business that deals with or processes personal data — meaning fleet managers are certainly not exempt.
The real question, then, is not if it affects the operation of your fleet, but rather exactly how it does and what you need to do about it.
Sounds serious. And it is — the EU General Data Protection Regulations (GDPR) that came into force on 25th May 2018 is the biggest update to UK data protection in two decades.
But that doesn’t necessarily mean it’s a lot of work. If your business already follows good data privacy guidelines, it should be a relatively straight forward task of adapting current frameworks, rather than scrapping and reinventing them from scratch.
Here are some of the key points regarding GDPR for fleet managers so you can make the transition to better data privacy smooth and whoppingly-hefty-fine-free.
Personal Data
Under GDPR, the definition of personal data has been expanded to include digital identifiers such as IP addresses and mobile device IDs. It also introduces the concept of ‘pseudonymous data’ — personal data that has been, for example, encrypted, and can be traced back to individuals.
Most importantly for fleet managers here is that data from telematics systems, including information on speed, location, and driving habits, may constitute as personal data under these new terms.
With individuals having more rights over their personal data, businesses and fleet operators need to be transparent with drivers on what data is being captured, how it’s being used, and how they can access and even eliminate it.
Driver Consent
Many companies will continue operating as usual as explicit driver consent is not required if personal data is only being used for as outlined by the contract of employment – for example, logging telematics data and calculating driving time for payroll purposes.
However, in the absence of a contractual agreement or the presence of a ‘legitimate interest basis’ (more on that to come), fleet managers will need to seek driver consent. Under GDPR, that consent needs to be specific, unambiguous, and freely given — ideally done so in the initial terms of employment.
Lawful Basis For Processing Data
Lawful basis for processing data is key when it comes to legally handling and processing information on your company fleet.
As seen above, one basis for processing data is driver consent. Others include contractual agreement, compliance with a legal obligation, and the most common of all, legitimate interests.
Legitimate interests allow businesses to process data without the consent of an individual — providing it doesn’t interfere with their rights, freedom, and legitimate interests. This may, for example, include in house administration, fraud prevention, security and safety, and market research.
Governance and Security
If there’s one thing to take away from GDPR, it’s record everything.
GDPR expects fleet managers to adhere to its strict standards of accountability, governance, and transparency by documenting all data and processes associated with drivers, One of the ways you ensure this is by creating measures such as privacy impact assessments which comply with its ‘privacy by design’ principles.
These responsibilities extend beyond your business and to your suppliers, too. Fleet managers should ensure their suppliers are GDPR compliant so that all driver data is secure. This may mean seeking out businesses with demonstrable competence, such as those with certification to ISO 27001.
Still unsure about GDPR for fleet managers? Ensuring data is secure and keeping on top of regulations are a few of the reasons why our fleet management service is so popular — find out more by contacting us today.
Back