Employers have three months to ensure more than two million fleet drivers have signed new driver licence-checking consent forms.
Documents have to be revalidated under the provisions of new data protection legislation – the General Data Protection Regulation (GDPR) – which comes into force on May 25.
GDPR requires businesses to comply with a new set of rules designed to safeguard personal data. Driver consent forms from the Driver and Vehicle Licensing Agency (DVLA) for licence-checking by third-party companies fall under the legislation.
DVLA-licensed providers are able to allow employers access to the DVLA driver database using a ‘blanket’ type of consent that can last for up to three years. Known as the D796 driver mandate, it allows multiple checks against the database.
However, the form has been ditched by the DVLA because it doesn’t comply with GDPR. Instead, drivers must sign a new form – the D906 Fair Processing Declaration – for the consent to continue to be valid.
The Association for Driving Licence Verification (ADLV) estimates two million drivers will have to sign the new form. Non-compliance could see firms hit with heavy fines imposed by the Information Commissioner.
A DVLA spokesman told Fleet News: “In readiness for the introduction of GDPR, DVLA has reviewed the Access to Driver Data and Driver Licence Check services which allow employers and other third parties to request driving licence data.
“Consent will no longer be the basis upon which DVLA releases data under GDPR.
“Requests for driving licence data via these services must be supported by a completed and signed D906 Fair Processing Declaration. These forms ensure that drivers understand who is requesting their driving licence data, what the data is, how it is being requested, and for what reason.”
The validity of the new D906 form will expire three years from the date of the driver’s signature or when the driver stops driving in connection with the company, whichever occurs sooner.
The DVLA says that in recognition of the need for employers and fleet managers to meet their duty of care obligations, and the “significant task” in transferring to the new fair processing declaration form, the current consent forms will continue to be valid for a three-month transitional period, from May 25 to August 25.
Malcolm Maycock, chairman of the ADLV, said the industry faced a “mammoth task in a short timeframe” to ensure that all processing is correct and complies fully with the new GDPR legislation.
“The good news is that the new data processing declarations will continue to remain valid for three years from the date permission is granted,” he said.
Employers and fleet managers, who are legally obliged to check a drivers’ entitlement to drive, will be under enormous pressure to hit the August deadline.
For its part, the ADLV says its members are advising customers on the implications of the change and how they can ensure compliance with the new DVLA requirements.
However, technical director of the ADLV, Kevin Curtis, said: “This is a huge shift for the DVLA and, indeed, the driving licence checking industry as a whole.
“From a technical and compliance perspective, all employers and third parties who are responsible for licence checking will need to be able to demonstrate that the new fair processing declaration has been signed by the driver. This will need to be stored in a way that can be audited to ensure compliance with the new GDPR legislation.”
The employer will need to show evidence of a clear process where the driver has agreed and signed off the data processing, with a date and time of the declaration.
Curtis also warned they need to consider how driver information is being stored, along with grey fleet documentation, including road tax, MOT and insurance information.
In a webinar organised by risk management company Driving Monitor, Curtis said: “There are lots of considerations around driver data and identifying that personal data.”
For example, it is important that data can be accessed quickly to adhere to the new rules.
“If we don’t have systems to get hold of this data, it’s going to be very difficult to respond , particularly if there are going to be a number of access requests coming into the business,” he said.
Curtis believes that, over time, GDPR will make paper driver records redundant, because of how difficult it will be to “categorise, secure and access”.
“Storing that data is one of the key aspects of GDPR,” he said. “We need to look at the systems data is stored in and whether it is in a secure environment.
“For example, do you have Excel spreadsheets and email them around; is the email channel encrypted; are the computers those spreadsheets are saved on encrypted?”
Any paper files in cabinets will also need to be secured, says Curtis. “Paper is one of the biggest risks… you don’t generally think about locking cabinets or your desk.”
SUPPLY CHAIN MANAGEMENT
Fleet decision-makers will also need to consider what data is passed to suppliers. Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment.
Most suppliers will be well advanced, but if ‘no answer’ is received, action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.
Satellite navigation systems and mobile phones contain a wealth of data so it is vital to remind drivers to ‘delete’ the data or reset to ‘factory setting’ ahead of defleet of a company car or the return of a hire vehicle.
A recent poll of fleet managers by Masternaut revealed that only 20% of respondents were confident they would be fully compliant with the GDPR by the 25 May – 47% reported that they have a long way to go or have just started preparing.
Meanwhile, a poll by Fleet News revealed around a third of respondents were not confident of meeting GDPR obligations to their fleet drivers.