Analysis
27 Feb 18

Fleet telematics must comply with EU’s new data protection rules 

The General Data Protection Regulation will have serious consequences for the collection and storage of telematics information.

New Europe-wide data protection rules will have a direct impact on how fleet operators gather and process telematics data.

The General Data Protection Regulation (GDPR) comes into force in European Union member states on 25 May 2018, and will force companies to be meticulously careful when handling personal data. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

The regulations also give employees and private individuals much clearer rights to explore how their data is stored and used.

Failure to comply with the rules could lead to heavy fines of up to 4% of annual global turnover or €20 million (whichever is greater).

Significantly for fleets, the GDPR covers far more than personal data, such as name, address, salary and bank account details. From next May, any information that can identify individuals directly or indirectly will be classified as personal data, and this includes data generated by in-vehicle telematics systems.

With the definition of personal data changing, much of the telematics data that transport companies hold may fall within the scope of the new regulation and the relationship between the fleet operator and its drivers will therefore become even more important.

What is personal data?

Djamel Souici, general counsel at telematics specialist Masternaut, said, “GDPR extends the definition of personal data to include digital identifiers such as IP addresses. Identifiers in telematics systems that correlate data and drivers, including information on location, speed or driving events, may thus be personal data.”

This does not mean that fleets have to stop gathering this data, but they do need a lawful basis for processing it, said Souici, and they face extra responsibilities to guard it and to respond to driver enquiries and concerns.

“Several options are available as the basis for processing, including driver consent; the performance of a contract; compliance with a legal obligation; to fulfil a task in the public interest or to pursue legitimate interests,” he said.

If the telematics data is being used for contractual reasons, such as to record driving time because the driver is paid by the hour, then the collection of the data ought to be covered by the contract of employment.

Similarly, fleet operators could reasonably claim ‘fraud prevention, security and safety’, as a motive to collect and process telematics data, said Souici.

Driver consent

But, “in the absence of a contractual or legitimate interest basis, operators must seek driver consent, which has to be specific, unambiguous and freely given,” he added. “Drivers should know what is captured and why, as well as what happens to it, and who it will be shared with. Such consent should be documented and ideally incorporated into employment, supplier and driver contracts.”

The GDPR insists that driver consent has to be a positive opt-in, said Anthony Monaghan, senior vice president of the insurer Marsh.

In a 2017 survey by the British Vehicle Rental & Leasing Association, drivers were overwhelmingly happy to share their data if doing so helps to diagnose or prevent faults with their vehicle (95%), automatically alerts a breakdown company (93%) or helps a manufacturer identify safety and warranty issues with its parts (82%).

But their consent waivered when it came to sharing data about their driving behaviour and performance (44% ‘not comfortable’) or selling data about their location, local weather conditions or vehicle performance (36% ‘not comfortable’).

Right to acccess

The GDPR will also ensure drivers gain extra rights over access to their data.

“Be prepared for drivers requesting to see their data and have systems in place to facilitate this,” said Monaghan. “Designate someone in your company to take responsibility for data protection compliance.”

Moreover, it must be as easy for drivers to withdraw their consent as it is to give it. This extends to ‘Data Erasure’, the right for people to be forgotten and have their data erased – including historic data. The GDPR doesn’t just apply to data captured after May 2018, it includes data that has already been gathered and stored.

“The whole point of the GDPR is that it makes companies think more about their data processing, how they protect privacy and how they protect personal data,” said Bram Wallach, product management, Sofico. “It’s much more of a risk-based process. The key point of the GDPR is that the accountability is now with the data processor and controller to demonstrate compliance.”

“Companies now have to review their internal processes, data flows, the systems where master data is being kept, and how it is being replicated to other systems. Are they proportionately collecting data or are they collecting data that might not be directly necessary for the purposes of our processing.”
 

Authored by: Jonathan Manning