CAVEAT: GDPR is a complex subject with many legal and financial ramifications. ProVision provides this article as general guidance, but it should not be considered legal or professional advice in any way. We further recommend that you consult with professionals in the area of GDPR to ensure that you are fully compliant by the deadline of May 25th, 2018.
The General Data Protection Regulations (GDPR) compliance deadline is not far away and the penalties for breaches in this law are not worth contemplating. Non-compliance could cost you 4% of your annual turnover and all the costs associated with defending such claims.
So that’s the scary stuff highlighted, and you should take it seriously, but the reality is that these new regulations have a far bigger impact on ecommerce and online businesses that collect very sensitive personal data rather than fleet operators.
This article therefore covers a number of areas that should be reviewed in preparation for the deadline, but in real terms your requirements will not be as onerous or complex as these online businesses.
Before we look at that, let’s define what GDPR has been created to protect.
GDPR, in simple terms, is concerned with:
- Personal Data You Store
- How You Obtained It
- Who Has Access To It
- Who Manages It
- Why It Is Stored
- Where It Is Stored
- How Secure It Is
- How Long It Is Stored For
- How You Use It
GDPR is essentially an overriding regulation that sits above local country data protection regulations, but introduce some additional requirements.
The key here is the definition of ‘personal data’, which according to the new GDPR directives means
“any information relating to an identified or identifiable natural person”.
So that’s obviously things like names, email addresses, addresses, telephone numbers, IP addresses, credit card details, etc., but where this becomes more relevant to you as a fleet operator that uses vehicle cameras, is specifically to things like, captured video of faces and number plates, and even GPS data where a specific person can be identified because of the location and time information.
Vehicle cameras are not specifically covered by CCTV regulations, and so the public do not have the same protections as they would for fixed recording systems. However, as a company you still need to be sensitive to this, especially where you intend to make use of this footage for any external needs.
It’s with this data in mind that the below checklist has been researched and written up for your reading pleasure:
-
Make Key Staff Aware
If you have not yet sat with your key stakeholders in the business and discussed GDPR, then the time to do it is NOW. You need to begin to factor this into your future planning. Will you need new systems, resources, staff, etc.? Don’t leave it to the last minute.
-
Inventory All Data You Collect
From contact forms to camera footage, what do you collect and what do you do with it? Does any of it contravene the data collection, storage or usage rules going forward?
-
Inform Staff, Customers And The Public
Staff who leave your company may then fall under private data requirements. For instance, if you have tracking technology in your vans that a driver can make use of in the evening and weekends and that driver leaves, they may have the right to have you delete all tracking data pertaining to personal journeys they conducted in that vehicle.Further, if you are capturing audio and video in your vehicles, where your staff can be recorded, you must make sure they are aware. This can be achieved by including clauses in their employment contracts, creating a data privacy and usage policy for the company. These documents must cover the 9 points highlighted above that impact on them.
Further, and most importantly, you must have stickers/signage on the vehicles that inform the public that the vehicle has cameras installed that record video, audio or both. Our research also highlights that you should include information about how the public can make data access requests of you if they desire. For instance, they feel that they have been recorded and wish you to erase any personally identifiable footage. How can they make this request?
-
How Will You Handle Data Requests?
Under GDPR you will need to action data requests within a maximum timescale of 30 days. This includes:
- Confirmation that their data is being processed
- The right to rectify incorrect data
- The right to have data erased
Where rectification or erasure is requested and is deemed a valid request, then you will have up to 60 more days to action the request.
For vehicle camera and tracking data, this can mean that you have to blur out faces and registration plates in order to anonymise data or delete data where no legal basis can be proven for either its original collection or subsequent ongoing retention.
By the way, you cannot charge individuals for dealing with these requests (one of the key changes to current data protection regulations). However you can charge a ‘reasonable fee’ when a request is clearly unfounded or excessive, particularly if it is repetitive.
As a fleet operator, you should not expect to receive many of these requests, but you should prepare nonetheless.
-
Define The Lawful Basis For Collecting And Storing The Data
This is a legally complex area, so we are not even going to try and get into the detail. Suffice to say that you need to show that you have a very good reason for collecting, storing and using the data. Preferably more than one good reason.Be sure to include this in any privacy policy documents you have (online and offline).
-
Data Breaches
You should have a very clear policy for dealing with data breaches. This includes informing all key stakeholders and anyone for which you hold data that is contactable. If you are a very large organisation that stores very sensitive information (delivery companies with addresses stored in delivery records), you may also need to inform your local data protection body.
-
Data Protection Officers
In the majority of cases, it may not be mandatory for fleet operators to have a Data Protection Officer, however, it would be a great idea to assign an individual, even in a part-time/secondary role basis to oversee all aspects of data protection and GDPR. The Data Protection Officer can also be an external consultant.They will be the point person for planning, implementation and handling data access requests.
A final point is that all of this becomes infinitely easier with a cloud-connected system that allows you to access and download footage and data remotely. Just imagine having to deal with all this in a fleet of vehicles where the data is spread across all your vehicles on hard disks and SD cards! A system design for commercial use is built to make compliance with GDPR easier, not harder.