The impact of the new GDPR on lease companies and fleet-owners

As our world is becoming more and more interconnected, data is the new gold. This data also includes our personal data, which is being collected and used by various parties, often even without notification or consent. The more personal data is circulating, the more data privacy and data protection become a concern.

A new European Regulation imposes strict guidelines to every organization and company involved with personal data, with the objective of returning control of personal data to the individual. The General Data Protection Regulation (GDPR) will be applicable as of 25 May 2018 in all 28 EU member states. Non-compliance with the regulation may result in significant penalties amounting to a maximum of 20 million EUR and 4% of world-wide revenues.

Personal data is any information relating to a person such as name, identification number, photo, email address, bank account number, social network message, location data, medical data, IP address,… Lease companies collect and maintain personal information related to employees of their customers (drivers), customer contacts, supplier contacts and their own employees. These data include financial and personal driver history data, and should therefore be considered as critical data. Therefore, GDPR will be important for all lease companies.

Controllers and Processors
GDPR makes a distinction between controllers and processors. The controlling party determines the purpose and resources for processing personal data. The processing parties are basically suppliers who process data on behalf of the controller.

By their nature, car lease companies assume both roles. On one hand, car lease companies process the personal data of the employees of their customers (drivers) on behalf of their customers, and are thus considered as processors of personal data. In some cases this data can be sensitive, for example speeding tickets, vehicle accident history or DUI arrests of which the paperwork is received by the owner of the vehicle, i.e. the lease company. On the other hand, personal data of customer and supplier contacts are collected and maintained by car lease companies. And in addition, by rendering B2C and B2D remarketing services, administrative information related to the buyer will be recorded. Therefore, lease companies also act as controllers of personal data.

Customers are increasingly asking questions about the secure processing of their employees’ data to their service providers, as they are ultimately responsible with regard to their employees. This need for ‘assurance’ will further increase due to GDPR and related penalties. Therefore, lease companies will need to demonstrate their reliability regarding data protection to their (potential) clients and other stakeholders, which can be done through certification of GDPR compliance. It can be expected that this will become in the future a ‘license to play’.

A pragmatic approach for GDPR compliance

A first step to become GDPR compliant is the establishment of a data privacy policy, in which the organization defines how it ensures that personal data are:

• fairly and lawfully processed by providing transparency towards drivers on their personal data
• processed for specific purposes only, as agreed by the data subjects
• adequate, relevant and not excessive. Only request and use the data as needed.
• not kept longer than necessary in physical documentations and fleet management IT-systems.
• processed in line with the data subject’s right to access, delete, object to distribution, opt out of marketing, claim compensation for damages and ensure the right to be forgotten.
• accurate and up to date by implementing measures to ensure accuracy of data.
• not transferred to other countries without adequate protection.
• kept secure by implementing physical and logical security measures.

This policy must be communicated to management and staff in order to create awareness and provide a clear guideline on personal data processing.

The data privacy policy is an important first step towards GDPR compliance, the other main requirements are:

1. Maintain an inventory (‘data register’) of all personal data collected, used and managed within the organization. For lease companies this would basically concern information on drivers, (potential) customers, suppliers and employees.
2. Perform data protection impact assessments (DPIAs) for sensitive personal data, such as bank account details, social security numbers and information related to driver penalties and fines.
3. Implement measures to protect this personal data, ensuring an ‘adequate’ security level, as a result of the DPIAs.
4. Adapt contracts with processors of personal data, such as social secretariats and IT service providers, to clearly define roles & responsibilities on personal data protection.
5. Adjust communication towards data subjects by means of ‘privacy notices’ regarding the processing and use of their personal data. Fleet owners will play an intermediary role in obtaining these privacy notices from their drivers.
6. Implement a process for data breach registration and notification. As of May 2018, notification of data breaches to the local data protection authority (‘DPA’ – Privacy Commission) will be required.
7. Appoint a Data Protection Officer (DPO), responsible for ensuring GDPR compliance.  This is required for organizations with more than 250 employees or handling sensitive personal data, which is the case for leasing companies.

The road to compliance starts with a GDPR readiness assessment in order to identify the gaps in view of GDPR compliancy. The implementation of the action plan, resulting from the GDRP assessment, typically takes 6 to 9 months. With May 2018 as a strict GDPR deadline, the time for action is now.

You are not alone in this mission. Many car lease companies will have difficulties in finding the required focus, time and skills within their workforce and will decide to outsource the GDPR road-to-compliance and the role of DPO of their organization, which is allowed by the new regulation.

As a fleet-owner, you are likely to be contacted in the context of a company-wide GDPR program and requested to provide input on:

• Personal data, stored and processed in the context of fleet management (cf data register).
• Third parties involved in fleet management (cf lease companies), whether they are ‘GDPR compliant or certified’, and contracts with these third parties.
• Communication towards the individuals, car policies... (cf privacy notices).

New technologies such as car connectivity and telematics will bring new data privacy issues. More personal data will be collected, an adequate protection of these data will even become more important, as well as privacy notices towards the individual to inform them on the collected data and to request permission for its usage.

A white paper with a pragmatic approach for GDPR compliance can be found on the BDO website.

Authors of this article: Koen Claessens, Partner BDO Risk & Assurance Services, and Wim Verbelen, Senior Manager BDO Risk & Assurance Services at BDO.