ACFO five-point plan to help fleets comply with GDPR
The new legislation takes effect from 25 May and, according to TomTom Telematics, will be the “most important change in data privacy regulation in 20 years”. However, speaking at last week’s ACFO March webinar, Beverley Wise, sales director UK and Ireland at TomTom Telematics, also said that GDPR was “an evolution, not a revolution” by bringing information protection into the digital age with processes that were “open and transparent”.
During the webinar, the second in the association’s new series of webinars that replace its previous regional meetings, Wise said there was no problem with collecting data that was for a “legitimate business interest” – for example, the capture and processing of mileage for travel management and business expense claims, fuel data capture and the use of driver behaviour data from in-vehicle telematics.
But fleets need to make sure drivers are fully informed and advised about what data is captured, how and where it is being used and by whom.
ACFO chairman John Pryor explained: “In the build-up to GDPR introduction it is a good time to review policy and ensure drivers are fully aware and also remind them of their obligations. The easy tick box is perhaps a thing of the past.”
ACFO’s five-point action plan for members is:
Know what personal data is held including: Drivers’ name, home address, contact telephone numbers, driving licence details, National Insurance number, payment, bank and family details.
Who has access to the data? GDPR is not “just fleet”. Many employers have working parties established to confirm what data they have and how it is used, but if that is not the case then check who can access the data that is held for fleet purposes.
What data is passed to suppliers/contracts by fleet professionals? Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. Most suppliers will be well advanced, but if ‘no answer’ is obtained action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.
What to tell drivers and make sure they understand where the data is, where it is being used and what is happening with it. For example, it is difficult to order/deliver a car if the supplier is not provided with name and address details.
Deleting data loaded on to vehicle systems. Satellite navigation systems and mobile phones contain a wealth of data. It is vital to remind drivers to ‘delete’ the data or reset to ‘factory settings’ ahead of defleeting a company car or the return of a hire vehicle.
Personal data must be kept protected from unauthorised and unlawful access, use and loss under GDPR. In response to a webinar question on obtaining drivers’ permission, Beverley Wise said: “Permission from employees is not required, but if it was refused then it is a bigger company policy issue. GDPR is about collecting data for a legitimate business interest and controlling that data.”
Data recorded by in-vehicle telematics is perhaps the area of most concern for many fleet professionals as it captures information related to individual driver behaviour and technology. John Pryor continued: “If vehicles have telematics fitted, fleet managers should be clear on what the information is used for and who receives it. This will be more sensitive if a driver says they do not want it used. In this case the company needs to be clear and managers should get internal guidance on the position.”
The webinar is available as a download from the ‘members’ area’ of the ACFO website – www.acfo.org – along with a toolkit containing relevant guides and resources.