Fleets are being reminded they run the risk of breaching data protection rules by leaving personal information stored on vehicle systems when they are defleeted.
Anesh Chauhan, founder of Vehicle Data Clear (VDC), a start-up company that has been formed specifically to help clear data from company car fleets, said many fleets are not aware how much data is actually stored on modern vehicles, including phone contacts, call histories and home addresses stored in sat-nav systems.
The General Data Protection Regulation (GDPR), which came into force on May 25, requires businesses to comply with rules designed to safeguard personal data.
As specified in Article 5 of the GDPR terms, data should be kept in a form which permits identification of data subjects for no longer than is necessary. This means that the data needs clearing when a vehicle is changing owners, a vehicle has been written off and will be scrapped or if a vehicle has been rented and will be rented by someone else.
The Government’s National Cyber Security Centre says the fleet industry should treat a modern car or van like any other connected device: delete all personal data and disable the account that has been used with the car.
“Privacy is already seen as a key issue with phones, tablets, and laptops,” it said. “Cars and other internet connected devices should also be added to the list.”
Chauhan told Fleet News: “Modern vehicles have now become one of the most complex devices on earth, capable of holding enormous amounts of data. However, they are vulnerable as this data can easily be accessed.
“Vehicles are commonly transferred, sold or disposed of without proper consideration given to the data they may hold.”
Under GDPR, organisations face financial penalties of up to 2% of annual global turnover or €10 million (£8.7m), whichever sum is the greatest, for minor breaches.
For breaches that are considered more serious, the penalty is up to 4% of annual turnover, or €20m (£17.4m), again whichever is the greatest. It is even possible to be fined twice in connection with the same breach.
Chauhan said many fleets appear to be unaware of their responsibilities and the amount of retained data that is left in vehicles before being transferred to a third party.
Caroline Sandall, deputy chairman of fleet representative body ACFO and a director at ESE UK Consulting, said clearing personal data from vehicles is something fleet managers should be providing clear advice to drivers about.
“There are many defleet companies who will – as standard – raise clearing personal data from vehicles with drivers at the point of collection even to the extent of including it on the collection form,” explained Sandall.
“My view is that it’s perhaps a leap to state that all fleets are directly responsible for ensuring that data is removed, but I would agree there is responsibility here to create processes to ensure drivers are aware and are informed and, indeed, instructed to remove any data.
“Fleets should work with their defleet providers to check with the drivers and examine the feasibility of wiping data.”
ACFO’s advice is to check what cars have what data stored and how effective the fleet’s processes are at informing employees about GDPR and protecting the data drivers choose to load into the car and what data the car may collect.
The Information Commissioner’s Office (ICO) is the body responsible for policing GDPR and Sandall said fleets need to check with their legal and data protection experts to determine liability.
It is possible for fleets to clear all electronic and physical data themselves, although Chauhan argues that in many cases “it would be impractical, time consuming and risky”.
He said: “Using specialist companies removes the risk, ensures experts with knowledge of a particular vehicle clear everything properly and completely and provide an insurance-backed audit trail for full peace of mind.”
The VDC service is priced per vehicle in the ‘tens of pounds’, although Chauhan said an exact price per car is determined by volume.
He concluded: “It is a question of determining the level of risk and the impact a data breach could have on a company. Clearing data from vehicles is no exception.”