graeme's picture
Posted by Graeme Corner

For anyone with an email account, I’m sure you’ve received some emails over the past few months explaining how the new General Data Protection Regulation (GDPR) affects your different accounts. The new regulation applies to a whole host of companies, from gyms and fashion retailers to universities and insurance providers.

It also applies to fleet management.

Unfortunately, with the regulations applicable to so many different types of business, it can be difficult to unravel what the rules mean for your business. So, how do you make sure your company is adhering to the GDPR?

In particular, there are some key facts that we think really need highlighting for fleet management operators.

Consent doesn’t have to be explicit.

A lot of companies are going above and beyond to prove that their customers consent to having their personal data stored. However, this isn’t always necessary. If a company has a lawful reason for requiring personal data, then it does not need to be explicitly requested. There reasons are:

  • The data is necessary to comply with legal obligations.
  • You, or a third party, have a legitimate interest, and it doesn’t conflict with fundamental rights.
  • The data can protect someone’s life.
  • Performance of a contract with the individual requires the data.
  • The data is necessary to perform a legal task in the public interest.

So, what does this GDPR rule mean for your fleet? Your operations will likely cover a number of the above, including legitimate interest, legal obligation and the necessity to hold information in order to perform your contracted work. For example, monitoring driver performance can aid a driver’s health and safety (which falls into legitimate interest), while recording fuel usage can be used to prevent fraud (aka a legal risk).

People need access to their personal data.

Individuals may request access to their personal data. If someone asks you for all of the information you hold on them, you must be able to provide this within one month. You’ll also need to inform them of:

  • Whether their data is being processed.
  • A reason why their data is being processed, if applicable.

To aid with this, it may be worth investing in some software to help manage your data, so you can provide this information quickly and with confidence that you haven’t missed anything out. From a fleet management perspective, this may mean using telematics software that is comprehensive and clear.

Everyone within the organisation has a responsibility.

You may have someone within your company who is responsible for GDPR compliance. Unfortunately, the responsibility of GDPR doesn’t rest on one person – it sits with everyone. While an officer can create the processes and best practice approach to GDPR, everyone needs to know the role they play in data security, what activities carry a risk, and the process to follow if a breach does occur. A breach can be something as simple as an email thread containing private information being forwarded to an external source.

Simply put, communication is key in ensuring your fleet is prepared for GDPR.

The whole supply chain is responsible for a data security breach.

Before GDPR came into effect, a data breach would be tracked to the company responsible. Now, however, the responsibility is shared between everyone in the supply chain that has access to the personal data.

In a fleet, this can involve a lot of individuals, including insurance providers, accident management teams and telematics providers. Therefore, it’s really important to only work with suppliers who can demonstrate their compliance with GDPR. It can also help to create an audit trial, so you can track where data is being processed.

 

graeme's picture
Graeme Corner

The majority of my time is spent ensuring that our team delivers simple and cost-effective solutions to our customers that face the challenges of running a fleet of vehicles.
Occasionally I manage to sneak away to enjoy time with family and friends or a quick game of golf ….