On 25 May 2018 the General Data Protection Regulation (GDPR) will be introduced into UK law. This European legislation — which will not be affected by Brexit — can be seen as the next step in the evolution of data protection law. It builds upon the UK’s old rules as set out in the Data Protection Act 1998 and in many ways, is a precursor for new domestic legislation which is likely to come into effect later this year and is currently being debated by Parliament in the form of a new Data Protection Bill. Andrew Woolfall of Backhouse Jones solicitors discusses the implications of these regulations for the transport industry.
In summary, the GDPR gives enhanced rights to individuals (referred to as data subjects) and places increased obligations on businesses (referred to as either data controllers or processors). In addition to rights granted under the old Data Protection Act 1998, individuals will now have enhanced rights to access the data a business holds on them plus a clear “right to be forgotten”. Businesses will become accountable and requirements are placed upon them to show, clearly, how they comply with the principles of the new legislation. To be compliant, a business will have to have a clear data policy which identifies all the types of data held, the legal basis upon which that data is held, how that data will be handled and by whom and also when it will be disposed of. Running through the legislation is a clear theme that a business should not hold data where it has no lawful basis for doing so and that the data should be deleted as soon as it is no longer lawfully required.
These requirements are linked to further principles that data will only be processed fairly and in a transparent manner, it will be accurate and kept up to date and it will be held and processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The “data” covered by the GDPR includes any information which can be used, either directly or indirectly, to identify a living person. Additional, increased, obligations are placed upon what is known as “sensitive personal data” (which includes information on an individual’s sexuality, religion or ethnicity, etc).
Holding personal data
When it comes to transport, operators will hold vast amounts of personal data which is caught by the regulations. Not only will staff/personnel data be covered but also information in the form of timesheets, tachographs, workshop records including PMI sheets and defect reports, CCTV footage and in-cab surveillance, customer information, supplier details and vehicle tracking information to name but a few.
For each type of data, the business will have to identify a lawful basis for holding the information. This should be identified in a data processing policy. While this might sound an onerous exercise, many businesses will in fact have a legitimate basis for holding information. The grounds permitted by the legislation include:
having the consent of the data subject
the fact that it is necessary to hold the information for the performance of a contract
the fact that it is necessary to comply with a legal obligation
it being necessary to protect the interests of a data subject or another person
that it is necessary to hold the data for the purpose of a legitimate interest pursued by the business or a third party (except where such interests are overridden by the interests, rights or freedoms of the data subject themselves).
Personal data — tachograph records
In reality, therefore, holding personal data in the form of tachograph records can be legally justified under grounds such as complying with a legal obligation (both the European drivers’ hours rules and operators’ licence conditions) and also as a legitimate interest pursued by the business (such as them taking the form of pay records).
Personal data — maintenance records
Similarly, the legal obligation ground could be used as justification for holding maintenance records. Legitimate business interests could justify holding supplier or some customer data. The main task for operators will be to conduct a data audit to clarify just what personal data the business holds and then categorise it into the various legal grounds to justify holding it. Where there is no justification, the data should be deleted.
Personal data — marketing
When it comes to personal data that is used for marketing purposes, here most operators (and particularly those in the PSV industries) will have to obtain the explicit consent of the data subject to both hold and use the information. The individual will also have to be given a clear, unambiguous right to be removed from such mailing lists. Once the GDPR comes into effect, unsolicited emails or other forms of promotional material including “cold calls” will attract increased sanctions if an individual complains.
Before 25 May 2018, operators should therefore ensure that they have explicit consent from individuals before sending out marketing materials or making unsolicited calls. Best practice would also seem to suggest that even after consent has been given, the individual should be asked to renew that agreement on a regular basis (at least annually).
Security of information held
In addition to ensuring that only the minimum amount of personal data is held and it is only kept for as long as is absolutely required, operators will also have to make sure that the information is kept secure. Reviews should be undertaken and added emphasis given to the security of computer systems or the ability of files of written information to be removed from a business. The loss or inadvertent disclosure of personal data can be expected to receive a higher level of interest from the Information Commissioner’s Office (ICO). Indeed, both under already existing legislation and the new GDPR, businesses have a legal responsibility to report data leaks and the new regulations will now see higher potential fines for breaches. Maximum penalties now go up to €20 million or 4% of a company’s annual turnover (whichever is the greatest).
Will GDPR breaches affect good repute?
Breaches of the legislation could also see businesses falling foul of the Traffic Commissioners and the operator’s licence requirements. Prosecutions or other forms of enforcement action may potentially affect an operator’s good repute or fitness to hold a licence. It is not inconceivable that we will see passenger vehicle operators being called to public inquiries where there have been serious data breaches, or HGV operators where a failure to have proper systems in place has given a commercial advantage.
Once the new legislation comes into effect, many industry experts are predicting that there will be an increase in the number of data subject access requests (these are requests from individuals to an organisation asking them to detail exactly what information they hold upon them) and a less tolerant approach adopted by the ICO where there are breaches of the rules. The time period for responding to such requests will reduce from 40 days to a month and operators will no longer be able to charge a fee for providing the information. Some are suggesting that non-compliant companies could become the next target for PPI or personal injury style claims for compensation. Operators should not, therefore, delay in conducting their data audits and producing data policies.
Action points for operators
Staff contracts and handbooks should be reviewed, as should contracts with customers and suppliers.
Organisations should review their marketing and the steps they take to attract new business.
If an operator has not already started, there is significant work to be done between now and 25 May. An operator who was compliant with the old Data Protection Act 1998 may have little to worry about but if the business has had little in place, past non-compliance will now only be exacerbated by the new rules and regulations.