GDPR Compliance – it’s not just about spam e-mails, but Fleet Management too!
The introduction of the new General Data Protection Regulation (GDPR) has been in the news a lot recently, and often stories are linked to unsolicited emails and whether firms and spammers are allowed to send them….
But the regulations go further, into the realms of data that businesses can hold on employees, and this will have ramifications on running your fleet.
Now is the time to ask yourself, are you ready for GDPR?
A Definition of GDPR
Put simply, it’s a turbocharged version of the existing 1998 Data Protection Act, reflecting the increasingly complex ways that personal data is held and used.
Above and beyond updating current legislation, GDPR introduces new principles of transparency and accountability, with the demand that a company shows consent from individuals for using and holding their data. Indeed, individuals can demand that their data is erased or edited.
This means data capture has to be more proactively managed, and once held, you must demonstrate that it is being looked after and used in a way that your employees – or the individual in question – have agreed.
Ultimately, the new regulation is about consent and the management of that process. Data must also be kept secure and well-protected against unauthorised and unlawful access, use and loss.
If your business does not comply or you do not have adequate security or consents, you could face a number of penalties, including charges up to €20 million and 4% of worldwide revenues.
The key message here is that GDPR is not to be taken lightly!
So how does GDPR affect Fleet?
At the heart of GDPR is the concept of identifiable personal data: if an individual can be identified through the data you hold, you will need clear, traceable consent to hold and use that data.
Fleet very much falls under the jurisdiction of GDPR, because your employees can be identified in many ways, such as through their number plate, Vehicle Identification Number, driving licence number, National Insurance number, medical history, driving history (offences, insurance claims or training) or even tracking data.
So all the information you hold on employees relating to driving for work needs to be compliant, and used in the right way – but it is important to note this does not mean you have to start deleting great swathes of vital fleet management data. You may just have to adapt some practices and processes.
REMEMBER: GDPR will not stop you using employee data for fleet management, but you may have to change processes to ensure personal information is secure.
Types of GDPR-affected Personal Data held by Fleet Operations
- Personal contact details
- Medical records
- Driver licence details (offences, endorsements, etc.)
- Driver behaviour (speeding, harsh braking, etc.)
- Training certifications
- Journey history (via telematics)
- Career history and experience
What Responsibilities will Fleet Managers have?
Fleet managers are intrinsically part of the process because a central tenet of GDPR is that rather than a Data Protection Officer or HR Directors being responsible for privacy (although those roles are essential), now everybody involved in the data chain is responsible.
Fundamentally, fleet managers must make sure each employee has given consent for their personal data to be stored, that they clearly understand how that data will be stored and used, and have that agreement documented.
It’s also their responsibility to ensure all personal data stored is sufficiently protected, and that access given to such data is only available through a secure channel to authorised personnel. Ideally, this means using encrypted password-protected software.
Fleet managers will also be involved in the management of third parties’ access to data. Often fleet management or leasing companies might well be party to your driver’s information. They will need to adhere to GDPR too, and will need to demonstrate that data is secure, and it does not identify individuals if it is not necessary.
REMEMBER: Fleet managers will need to ensure there are robust and traceable processes for employee consent.
What are the main tasks Fleets need to action?
Firstly, you will need to update contracts and policies so that employees understand what their data will be stored and used for, then you must obtain proactive consent from them.
There needs to be clearly defined audit trails for the process of obtaining consent.
Predefine specific purposes for holding data – GDPR allows for personal data to be used, but the case for it needs to be made. Keeping individual records of speeding convictions or fuel purchases are essential, but ask yourself whether it’s necessary to be tracking every single journey your employees make.
Fleets will have to put in processes for anonymising and aggregating non-specific fleet management data, especially if it is being shared with a third party. Also, there needs to be an inventory of all third parties that have access to your data, how they will get hold of that data and what it is used for …with evidence of how they intend to keep it safe.
Be prepared for employees to request to see their data and have a system in place to allow this to happen.
You don’t want rigorously planned and executed GDPR systems to fall down because suppliers have poor processes. Check they have a good grasp of GDPR, can demonstrate comprehensive security systems, with robust back-up. And one final thing: ensure that if the data is being transferred outside the EU, maker certain it is to a country with complementary processes.
Ensure the software supplier you use (and any other supplier who manages your data for that matter) are ISO 27001 certified. This formally acknowledges that providers are committed to data protection issues.
GDPR does demand that employers introduce new, defined processes and ways of managing employees’ data. But for those used to robust fleet management processes, it should be an enhancement of already established practices, rather than a complete revolution of the way you work.