Fleet operators' association ACFO has outlined a five-point action plan to help fleets comply with the forthcoming General Data Protection Regulation (GDPR).

The new rules take effect on May 25 and to help fleets with the changes, ACFO held a webinar, supported by TomTom Telematics, on the subject to clarify the implications of GDPR.

John Pryor, chairman of ACFO, said: “Fleets will already hold a lot of personal data.

"Now is the time for fleets to review and check whether they actually need all the current data being received?

"Where does the data originate and is it secure, either on computer or in locked storage?

"This is not new as all fleets should be doing this automatically.

“In the build-up to GDPR introduction it is a good time to review policy and ensure drivers are fully aware and also remind them of their obligations. The easy tick box is perhaps a thing of the past.”

GDPR is claimed by TomTom Telematics to be the “most important change in data privacy regulation in 20 years”, but was also claimed by Beverley Wise, sales director UK and Ireland, to be “an evolution, not a revolution” by bringing information protection into the digital age with processes that were “open and transparent”.

During the webinar, billed as ‘GDPR: What every fleet decision-maker needs to know’, Wise said there was no problem with collecting data that was for a “legitimate business interest”. That, for example, could include the capture and processing of mileage for travel management and business expense claims, fuel data capture and the use of driver behaviour data from in-vehicle telematics.

Nevertheless, GDPR put individuals/employees at the “front and centre” so they needed to be fully informed and advised about what data was captured, how and where it was being used and by whom.

ACFO’s five-point action plan for members is:

• Know what personal data is held including: Drivers’ name, home address, contact telephone numbers, driving licence details, National Insurance number, payment, bank and family details.
• Who has access to the data? GDPR is not “just fleet”. Many employers have working parties established to confirm what data they have and how it is used, but if that is not the case then check who can access the data that is held for fleet purposes.
• What data is passed to suppliers/contracts by fleet professionals? Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. Most suppliers will be well advanced, but if ‘no answer’ is obtained action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.
• What to tell drivers and make sure they understand where the data is, where it is being used and what is happening with it. For example, if is difficult to order/deliver a car if the supplier is not provided with name and address details.
• Deleting data loaded on to vehicle systems. Satellite navigation systems and mobile phones contain a wealth of data. It is vital to remind drivers ‘delete’ the data or reset to ‘factory setting’ ahead of defleet of a company car or the return of a hire vehicle.

Pryor added: “Fleet managers will already be doing much of what ACFO is recommending because it is common sense and good business practice. But GDPR brings more business focus.

“GDPR is process driven and while much of what is being asked for is already being done by fleets under the new rules it is important to have policies in place.”

Personal data must be kept protected from unauthorised and unlawful access, use and loss under GDPR and, in answer to a webinar question on obtaining drivers’ permission, Wise said: “Permission from employees is not required, but if it was refused then it is a bigger company policy issue.

"GDPR is about collecting data for a legitimate business interest and controlling that data.”

Data recorded by in-vehicle telematics is perhaps the area of most concern for many fleet professionals as it captures information related to individual driver behaviour and technology. Pryor said: “If vehicles have telematics fitted, fleet managers should be clear on what the information is used for and who receives it.

"This will be more sensitive if a driver says they do not want it used. In this case the company needs to be clear and managers should get internal guidance on the position.”