Unravelling the General Data Protection Regulation (GDPR) is a difficult task for fleet operators. Not only is a huge range of responsibilities covered by the new Europe-wide data protection laws, things are made trickier by the heaps of misleading information currently circulating on the topic.
If you’re responsible for a fleet, how do you make sure you fully understand what crucial elements apply to you?
To help, we’ve picked out four of the most surprising facts about the GDPR and outlined how they apply to the operation of a vehicle fleet.
For a more in-depth plan to help your business remain compliant, make sure to check out our free detailed guide to the GDPR for fleet operators, with advice from TomTom Telematics data experts.
You don’t necessarily need consent
A lot of the talk around the GDPR has focused on the need to obtain explicit consent when processing personal data, but this isn’t always the case. In fact, consent is only one of the lawful bases for processing data. The others are:
- Legitimate interest: you, or a third party, have a legitimate interest that does not conflict with the individual’s fundamental rights.
- Performance of a contract: processing is necessary for performance of a contract with the individual.
- Legal obligation: processing is necessary to comply with legal obligations.
- Vital interests: processing is necessary to protect someone’s life.
- Public task: processing is necessary to perform a legal task in the public interest.
As far as fleet data is concerned, many typical processes will be covered by legitimate interest, performance of a contract or legal obligation. For example, the use of fuel data to prevent fraud or driver behaviour data to help protect a driver’s health and safety both fall within legitimate interest.
The monitoring of driver hours might fall within both performance of a contract – to ensure the hours stipulated in a contract of employment are fulfilled – and legal obligations – to ensure compliance with working time regulations.
Breach isn’t your fault? You still might be responsible
Under previous laws, regulatory bodies would typically chase responsibility down the supply chain, meaning the person or organisation responsible for the original breach would bear the bulk of responsibility.
However, organisations will now be held responsible for any breaches that occur anywhere within the supply chain. Fleet operators, in particular, need to take note.
The fleet supply chain is large and varied, with data potentially being processed by a number of suppliers, such as those handling leasing, insurance, accident management or telematics. This means it’s more important than ever to ensure all suppliers that process sensitive data meet the standards you require to remain compliant with the GDPR. Also keep in mind that some of these suppliers may work with secondary suppliers that also use the data in question.
It’s important to carefully select the suppliers you work with and put contracts in place to clearly define the reasons, responsibilities and procedures for processing data. An audit trail should also be created for all personal data, showing the different times at which this data has been processed, who processed it and the purpose for this processing.
Everyone is responsible for data security
There’s a common misconception that the responsibility for the protection of personal data rests solely with a single individual or department within an organisation, such as IT. This is not the case.
While delegating the main responsibility to a data officer is certainly a wise step, this person would primarily be concerned with putting processes and structures in place that mitigate the risk of breaches occurring. That does not make them responsible for preventing singular breaches from happening at all.
A breach can result from something as simple as an employee sending an email containing personal data and accidentally copying in someone who does not have the authorisation to view that data.
Consequently, it is important to establish an organisational culture that values best practice. All employees need to be aware of the role they can play, what activities might carry risk of a breach and how to respond when a breach occurs. Communication will be key in achieving this, through simple measures such as email bulletins to staff all the way up to targeted training sessions and workshops.
You need easy access to all personal data at all times
One of the key rights established by the GDPR is the right for an individual to access all of their personal data that is being held by any organization at any time.
When access is requested by an individual, the organization must respond within one month with details of what data is being held, confirmation of whether or not it is being processed and, if applicable, the reason it is being processed.
While this factor might not be so surprising, it’s well worth underlining, as it means you must be able to access a huge range of data across a number of categories quickly and accurately.
To support this, consider assigning core responsibility for the handling of requests to a particular member of staff. It’s also important to make sure data is easily available. In the case of telematics, this means working only with suppliers that provides accessible yet comprehensive reports highlighting what data is held on each employee.