All you need to know about GDPR
New European legislation comes into effect next year which will have serious implications for anyone handling data generated from vehicles. Julian Kirk explains.
In less than a year’s time, the fleet industry has got to wake-up to the serious ramifications of not complying with a new EU data directive – or risk facing fines of up to €20 million.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Act – the biggest shake-up in data protection for 20 years. It has been designed to harmonise data privacy laws across Europe to protect all EU citizens’ data privacy. Currently, data laws are applied inconsistently across Europe, with the UK and Ireland seen as having a lighter regulatory burden than other countries.
And this will have a huge impact not only on the automotive industry as a whole, but the fleet industry in particular with its widespread use of telematics devices to generate information on employees from their vehicles.
Under GDPR, there will be more emphasis on the rights of individuals both in terms of consent and access to their own data. As a result of this, it will be essential for fleet operators to keep audit trails to evidence that specific and unambiguous consent was freely given. This should be in the form of a statement or an affirmative action. It will no longer be acceptable to gain consent via ‘pre-ticked’ boxes and inaction – companies will have an on-going responsibility to ensure they have permission to harvest data, and that the data is relevant.
Paul O’Dowd, head of sales at In-car Cleverness, agrees: “The crux of the matter is consent. From a fleet point of view – involving company cars or job need vehicles – our priority has been to ensure the employer working with their employee produce a written agreement – a consent form, otherwise the data gathered is not actionable. That form will determine whether the data is available for private and business usage, and to whom that data can be passed on to. This is critical when car incidents happen because the level of detail our technology generates is significant.”
A BVRLA spokesman added: “Should an individual ever make a claim, the burden of proof will fall to the organisation so it will be essential for fleet operators to keep audit trails to evidence that specific and unambiguous consent was freely given. This should be in the form of a statement or an affirmative action. It will no longer be acceptable to gain consent via passive ‘pre-ticked’ boxes and inaction.
“To ensure compliance, some operators may need to completely overhaul their data management processes. This is likely to place a significant burden on many fleet operators as dedicated time and resource will be required to get everything in order before the new rules set in.
“Another area of change is that the new rules place emphasis on shared responsibility, making everybody who handles and processes data liable, not just data controllers. Everybody in the supply chain will need to understand their obligations to ensure compliance and this is going to require a change in mindset as people across the industry have different views on who they think is liable for data. This is evident in the BVRLA’s study which shows that 36% of members and 41% of fleet managers agreed that everybody had responsibility for data protection. The rest placed the responsibility at the door of either the lease company, manufacturer or fleet manager. There is clearly a big job to do to ensure compliance across the industry.”
According to Rhys Harrhy, telematics product manager at ALD Automotive, transparency is key and fleet managers must be absolutely clear with their drivers from the outset about why they are collecting specific vehicle journey data. He added: “This should involve the implementation of a clear policy that details exactly what data is collected, what data is shared with the employer and for what purposes the data will be used – e.g. to monitor and reduce CO2 emissions across the fleet, or as a tool to accurately measure fuel costs, for instance.
“Employers also have an on-going responsibility to ensure that the need to collect data about their employees remains relevant, so regular reviews of the policy should be implemented in line with company objectives.
“Telematics is as much a tool for employees as it is for their employer, so the driver benefits should be surfaced to encourage greater buy-in.”
And conversely, it is worth companies putting in the effort because of the value of the data they receive, helping to make efficiency savings on their fleet through moves such as better journey planning and optimised route guidance to avoid time lost in traffic and the ensuing rise in fuel costs.
ACFO legal adviser Alex Ktorides, head of ethics and risk and a partner at law firm Gordon Dadds, said: “There is huge value in gathering data, but that must be balanced against people having a right to privacy. Employers must put people’s rights at the forefront and show good governance and gain consent.”
Attitudes to data
The BVRLA has canvassed opinion from around 300 fleet industry figures, from members of the organisation to fleet managers and company car drivers.
Responses to its Fleet Technology Survey highlight the difficulty companies face under the new GDPR rules – namely, drivers are happy to share information from their vehicles and telematics devices which can be used to diagnose vehicle faults and which can help the business operate more efficiently, but they aren’t so keen when that data includes details of their driving performance, location and behaviour.
The survey also found that 54% of companies are ready for GDPR and 52% have a clear strategy regarding collection and use of data from vehicles.
What about after Brexit?
The Government has indicated it will implement an equivalent or alternative legal mechanism to the GDPR once the formal split from the EU occurs. The EU expects that any such new UK legislation will largely follow the GDPR, given the support previously provided by the Information Commissioner’s Office (ICO).
Basically speaking, if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains GDPR post-Brexit. And UK businesses complying with GDPR can seek continued access to the EU digital market regardless of politics.
While the headline figure of fines of up to €20 million dominate reporting of GDPR, there is also the potential for class action lawsuits as well.
According to Ashley Winton, a partner at Paul Hastings LLC, GDPR will present greater litigation risks – especially in light of the Court of Appeal’s ruling in the case of Google v Vidal-Hall (basically involving Google circumventing the Safari web browser’s privacy settings). This case ruled that the claimants can claim for distress without having to prove pecuniary loss. This greatly increases the scope for compensation claims in the future given an invasion of privacy will rarely be accompanied by actual monetary loss.
He said: “In the UK, pursuant to Google v Vidal-Hall, it is now very easy to bring a successful claim for damages. Data subjects are entitled to compensation from a controller or processor that has caused them damage, unless the controller or processor can prove it is in no way responsible for the event giving rise to the damage. This is a reversal of the standard burden of proof.”
Many of the GDPR’s main principles are much the same as those in the current Data Protection Act. However, there are new elements to consider.
The Information Commissioner’s Office, which will be responsible for monitoring and prosecuting under the new GDPR rules, has compiled a checklist to enable firms to ensure compliance:
- Make sure people in all areas of your business are aware of the new law.
- Document what personal data you hold, where it came from and who you share it with.
- Review your privacy notices and put in place a plan for making changes necessary under GDPR.
- Check procedures to ensure they cover all the rights individuals have.
- Plan how to handle requests from subjects under the new rules.
- Make sure the legal reasons for processing personal data are crystal clear and update your privacy notice.
- Review how you seek, record and manage consent and refresh to the new standards.
- Think about if you need to put systems in place to verify individuals’ ages and to obtain parental consent.
- Make sure your systems for dealing with a data breach are correct and robust.
- Familiarise yourself with the ICO’s code of practice on privacy impact assessments.
- Designate someone in your company to take responsibility for data protection compliance.
- If you work across borders, determine which is your lead supervisory authority.