Businesses could face the threat of class action lawsuits if they fail to comply with the new General Data Protection Regulation (GDPR), which could include fleets with telematics.
That was the warning from Ashley Winton, partner at Paul Hastings (Europe), who pointed out that “the risk is in the small print” as GDPR grants data subjects the right to be collectively represented by not-for-profit bodies.
“There is no longer a requirement for monetary loss before you can bring a claim so if you suffer distress you can bring a claim,” he told delegates at the British Vehicle Rental and Leasing Association (BVRLA) Fleet Technology Congress. “Imagine you have a couple of hundred thousand fleet drivers. Suddenly they’re all very distressed about being tracked or the information about where they have been being disclosed to a third party. That would be quite an interesting case for a union.”
He suggested this was the “biggest risk” from GDPR, which comes into effect in May 2018 – greater even than the penalty of 4% of annual worldwide turnover for failing to comply.
He advised companies to start by making sure “the bits visible to the regulators and users are compliant”. This includes giving detailed notices to the individuals in the vehicle about what you do with telematics data, where it goes to, the data being processed and the security that is used.
“If someone makes a claim against you, you will lose unless you can show you have processed the data correctly,” he said.
“What you need is an audit trail around the notices and consent that you might be asking for so, if someone is going to complain, you can say ‘well, on this day you stepped in the vehicle, you pressed accept, that was version 1.21 of our privacy notice that says we can track you’.
“You need that audit trail otherwise people’s claims against you will be difficult. That audit trail is really important, that functionality you really do need in online systems.”
He also advised companies to be prepared for drivers requesting to see their data and to have systems in place enabling them to automate this.
However, Jay Parmar, director of policy and membership at the BVRLA, suggested that businesses were “nervous” about carrying out investments in light of Brexit negotiations.
“When this was being debated at the European parliament the UK Government put forward 50 amendments against the current GDPR; they disagreed with 50 areas,” he said. “The law is going to be implemented but it could be that UK Government, as we get into the Brexit negotiations, might come to a different position of what the final regulatory environment will look like.”
However, businesses should not delay their preparations for GDPR.
Around half (54%) of the 300 BVRLA members and fleet managers that responded to its Fleet Technology survey said their company understood its responsibilities under GDPR, while 52% have a “clear strategy” regarding collection and use of driver and vehicle data.
“Members are telling us they’ve got a strategy but actually having a strategy and then deploying something to work within your business will be challenging,” Parmar said.
Businesses need to think about their supply chain and what data suppliers are capturing on their behalf as GDPR extends responsibility to data processors not just data controllers.
“Because processors now have legal responsibility, all your existing network of contracts need to be looked at,” Winton said. “Even if you sign a contract tomorrow that is going to extend past May 2018, you should do that analysis before you sign.”
Parmar added: “When you start to unravel the challenge ahead, the timing we’ve got is very limited.”
More articles on:
Sarah Tooze is a former managing editor of sister title Smart Transport. Prior to joining Smart Transport she worked on Fleet News for more than 10 years, latterly as deputy editor, and won the ‘automotive business journalist’ award in the 2017 Newspress Awards.
Henry Wells - 27/07/2017 11:28
this is a big deal for fleet operators and could prove costly if you get it wrong. The industry needs to think about what data they are capturing as well as what data is being captured on their behalf because, as the article quite rightly says, the new rules extend responsibility to data processors not just data controllers. If you can’t show you have processed the data correctly and someone makes a claim against you, you will lose.