Misunderstandings around the General Data Protection Regulation (GDPR) being introduced later this month (May 25) is causing something of a headache for fleet managers.
GDPR defines the processing of personal data as lawful if certain criteria apply. Consent has been the most common basis for the lawful processing of this data under its predecessor, the Data Protection Act. With GDPR, this may change.
GDPR requires consent to be specific, unambiguous and freely given and such consent can be withdrawn at any time.
However, consent may prove the least appropriate basis for processing driver data by a fleet operator.
There are circumstances where a business has a legitimate right to hold certain data without explicit permission. It is important to establish and document whether there is a lawful basis for processing the data, other than consent.
The likelihood is that most fleets will avoid the need to gain driver consent and instead cite legitimate interest or the performance of a contract as the basis for processing.
‘Legitimate interest’ as a basis for processing means fleet operators must define their legitimate interest for the processing of personal data and there must be a necessity for the business to do so.
The operator needs to ensure a balance between its interests and drivers’ rights and that drivers are informed about the processing. A legitimate interest, dependent on a case-by-case review could, for example, be fraud prevention or on safety issues.
Alternatively, it could be necessary for the performance of a contract with the data subject, for example where an employee is paid for driving time and telematics data is used to record these times. In this instance, processing is covered by the contract of employment.
GDPR is an important commitment to improving data security and the onus is rightly on companies to comply. That said, it is not intended to undermine businesses.
Understanding the implications of the legislation really is key to ensuring you protect the rights of your drivers, while continuing to operate efficiently.
By Djamel Souici general counsel and chief legal officer for Masternaut