The legal duties around vehicle and driver data

With the General Data Protection Regulation coming into effect in less than a year, the BVRLA explains how fleet operators need to understand their responsibilities and have a clear strategy regarding the collection and use of driver and vehicle data

The new General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 marking the biggest overhaul of data protection since the introduction of the current Data Protection Act (DPA) in 1998.

Seen as more of an evolution than a revolution, GDPR is effectively a more detailed and robust version of the current regulation, placing greater emphasis on the rights of individuals and imposing tougher penalties on those organisations who fall short of meeting their data protection obligations.

Those found to be in breach of the new rules could face fines of two per cent of annual turnover or four per cent of annual worldwide turnover for more severe infringements.

The GDPR applies to data processing carried out by organisations operating within the EU as well as organisations outside the EU that offer goods or services to individuals in the EU. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR so businesses should not let the prospect of Brexit delay preparations.

Is the industry ready?

The British Vehicle Rental and Leasing Association (BVRLA) recently published findings from its Fleet Technology Survey, revealing that around half of BVRLA members and fleet managers felt ready for GDPR. Fifty-four per cent claimed that their company is clear about its responsibilities under GDPR and 52 per cent claimed that their company has a clear strategy regarding its collection and use of driver and vehicle data.

To be adequately prepared for the new rules, some operators may need to completely overhaul their data management processes. The BVRLA are calling upon the industry to act now to identify gaps and review their current ways of working, liaising with others in the supply chain to get suitable processes in place. This is likely to place a significant burden on many fleet operators over the coming months as dedicated time and resource will be required to get everything in order before the new rules set in.

BVRLA chief executive, Gerry Keaney said: “We are advising members to act now to get sufficiently prepared for the introduction of GDPR as the cost of non-compliance is great. Our GDPR seminar was well attended last month and we are providing other tools and guidance including e-learning modules, YouTube films and factsheets to support members with their preparations in the lead up to the new rules.”

The Information Commissioner’s Office (ICO) understands the importance of having an internationally consistent approach to data protection regulation, stating: “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals.”

Any changes made to business processes to ensure compliance will not be made in vain as any UK version of the regulation introduced post-Brexit is likely to be aligned to GDPR.

Some key differences

Under GDPR, there will be more emphasis on the rights of individuals both in terms of consent and access to their own data. Should an individual ever make a claim, the burden of proof will fall to the organisation so it will be essential for fleet operators to keep audit trails to evidence that specific and unambiguous consent was freely given. This should be in the form of a statement or an affirmative action. It will no longer be acceptable to gain consent via passive ‘pre-ticked’ boxes and inaction.

Another area of change is that the new rules place emphasis on shared responsibility, making everybody who handles and processes data liable, not just data controllers. Everybody in the supply chain will need to understand their obligations to ensure compliance and this is going to require a change in mindset as people across the industry have different views on who they think is liable for data.

This was reflected in the BVRLA’s study which shows that 36 per cent of members and 41 per cent of fleet managers agreed that everybody had responsibility for data protection. The rest placed the responsibility at the door of either the lease company, manufacturer or fleet manager. There is clearly a big job to do to ensure compliance across the industry.

Data security

As the automotive industry continues to transition from a sector driven by mechanics to one driven by electronics and software, the issue of data and cyber security will become an increasing concern.

As connected and autonomous vehicles become more prevalent on our roads, it will be crucial for manufacturers to consider security requirements in the vehicle’s design and it will be equally as important to protect our infrastructure.

The main cyber security threats to connected and automotive vehicles include loss of control, loss of data, leaking or sharing of data, denial of service or malicious manipulation of software, network outage or disruption of power supply and even interception or hijackings. All of which would be disastrous.

The BVRLA welcomed government’s recent publication of a set of principles to ensure that a tougher approach is taken to cyber security throughout the automotive industry.

Keaney said: “It is potentially an area of huge vulnerability if businesses do not take steps to be properly protected so there is likely to be an increase in the employment of tech-savvy cyber security professionals to embed government’s recommended cyber security principles right across the automotive industry. Data protection is crucial not only for individuals and organisations, but also for the industry and the wider UK economy.”

Data access and ownership

As part of the BVRLA’s Fleet Technology Survey, the association explored views from drivers with regards to data and connected vehicles, and the message was clear. When it comes to sharing data about themselves such as how they drive or where they drive, there is little appetite to give consent.

However, the picture is very different when it comes to sharing diagnostic data to help with early diagnosis of faults or to help flag warranty or safety issues. 95 per cent were happy to share data if it helped to diagnose or prevent faults, 93 per cent were happy if it enabled the automatic alerting of a breakdown company and 82 per cent were happy if it helped to identify safety and warranty issues.

Around seventy percent of BVRLA members and fleet managers believe that vehicle manufacturers have an obligation to provide vehicle data, with 86 per cent saying that they should not have to pay for it.

Seventy-nine percent of respondents said they were concerned that vehicle manufacturers would restrict access to telematics data to further their own business goals. Eighty-nine percent of them believe that manufacturers should allow them to install third party telematics devices, provided that they meet agreed security standards.

Gerry Keaney said: “Connected vehicle data is rapidly becoming the new currency of the fleet sector and will drive many business models in future.
“Our responsibility is clear. The BVRLA will play a lead role in helping the fleet sector work with government and the wider automotive supply chain to ensure that all parties share data in an open, secure and fair way. By doing this, we can make sure that businesses and consumers continue to enjoy a competitive choice of suppliers for fleet management, aftermarket and mobility services.”