GDPR responsibilities must cover whole supply chain, fleets warned
Fleet operators and suppliers must assess their entire supply chain to ensure they’re covered for the introduction of the General Data Protection Regulation (GDPR).
So says Fleet Operations as it warns that many businesses are underprepared for the new legislation, which comes into force in a few months.
The replacement to the Data Protection Act, GDPR will bring much more onerous requirements on data privacy laws when it kicks in from 25 May 2018. This will impact on fleets in many areas, from telematics devices to licence data. The consequences for failing to comply with GDPR are high, with the maximum fine for infringements set at 20 million Euros or 4% of turnover, whichever is greater.
However, according to Fleet Operations, which provides outsourced fleet management services, one of the most significant changes means that organisations will now take responsibility for data protection breaches at any point within the supply chain. This puts fleet suppliers and operators at particularly high risk due to the large amount of personal data transactions that occur within the fleet supply chain.
Brian Hardwick, head of operations at Fleet Operations, said: “From our experience, it appears many organisations still have not assessed the full impact of the GDPR and taken the requisite action to ensure they will be compliant. There exists a perception that this is a minor adjustment when, in fact, businesses need to assess their entire supply chain to ensure each link is secure.
“As a starting point, it is vital for organisations to map all data flows across the business, which means documenting all data coming in and going out, as well as the various organisations or individuals that process information at each point in the supply chain. Contracts must now be in place between the data controller and data processor in each of these data transactions covering all the requisite details outlined by the GDPR.”
Hardwick warned that breaches could occur due to something as simple as copying someone into an email thread that contains data they do not have consent to view.
He added: “That’s why it is important to communicate the new regulation – and the steps you are taking to address it – very clearly to all staff and put data protection at the centre of your organisational culture.”