The General Data Protection Regulation (GDPR) officially came into force on May 25th, 2018. The intention of this regulation is to strengthen and group data protection laws throughout the EU, providing citizens with more control over how their personal data is collected, processed and managed.
GDPR applies to any organisation - globally - that processes the personal data of EU citizens. This has forced many fleet managers, who handle commercial driver data, to reconsider their operational processes.
These changes to data protection laws are an evolution rather than revolution but can still impact some significant areas of fleet operations.
A vast number of fleet managers use driver data to maximise route efficiency, company productivity and fleet sustainability. GDPR, however, states that the collection of data - and the processing of it - must identify a ‘legal basis’. This means that fleet managers must have a documented process in place that identifies the legal basis for managing driver data.
The scope of what is classed as driver data has now been expanded to include personal info such as a driver’s name and identification number to any data stored on telematics systems. It is, therefore, crucial that the information gathered is justified and documented.
To legally collect this information, many organisations believe that driver consent is the only legal route to take. However, there are other, more legitimate, options:
1. To work in line with a contract
Some fleet managers use vehicle tracking data to record working hours in order to pay employees on hourly contracts. If this is the case, then there is a legal reason for collecting personal data. This falls under the exception of processing for the performance of a contract, therefore, no consent is required for the processing.
2. Compliance with a legal obligation
If an employer processes the personal data of its employees for the purpose of complying with a legal obligation, then driver consent is not required. Also, if the vital interests of the data subject, the driver, are being protected then consent can be bypassed.
3. Pursue legitimate interests
Under article 6 1 (f) of GDPR, ‘processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’
In addition, recital 47 of GDPR states that, ‘The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.’
When pursuing ‘legitimate interest’, it is, therefore, important to conduct an assessment of the organisation’s need to process personal data against the rights and freedoms of the data subjects concerned. If, as a result of the assessment, the interests of the data controller outweigh that of the data subjects, the data may be processed. It is imperative to note that this assessment is carefully approached and documented.
Complying with GDPR
Following the introduction of GDPR, fleet operators must understand the rights of their drivers and that data collection must be done transparently. It may well be true that the role of fleet managers has been affected; however, industry standards have improved as the new EU regulation marks a significant step forward in personal rights.
Whichever way organisations choose to collect personal information, employers are obliged to disclose all information where personal data are collected from the data subject. The key is keeping all parties informed about why their data is being collected, what the data is used for and who has access to it.
Keeping up-to-date with new regulations should be a vital aspect of every fleet managers job, but it is also important to ensure that the telematics provider is GDPR compliant too. This organisation should, therefore, be ISO 27001 compliant to ensure that all customer data is collected, processed, stored and managed securely at all times.
Serious breaches of data protection laws mean authorities can fine companies up to €20 million or 4% of their worldwide annual turnover.
Djamel Souici, Group General Counsel at Masternaut