What is the UK GDPR?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and replaced the Data Protection Act 1998 (DPA). As an EU regulation, it was directly applicable in the UK and did not require implementing. However, it gave Member States limited opportunities to make provisions for how it applied in their particular country and the UK Government took advantage of this option to introduce the Data Protection Act 2018 which adds details such as penalties for non-compliance.
As the Brexit process continued, it became apparent that the UK would need a regime closely based on the GDPR once it finally left the EU and the Government’s answer was to adopt the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which created the concept of UK GDPR — essentially mirroring the EU original but with changes such as replacing references to the European Commission with details of the Information Commissioner's Office (ICO).
As the two are in most requirements essentially the same, it seems likely that most people will continue to refer to the GDPR, rather than UK GDPR.
Why do you need to take action?
The GDPR gives enhanced rights to individuals, referred to as data subjects, and places increased obligations on businesses.
The new rules are designed to make sure that people’s personal information is protected — no matter where it is sent, processed or stored, nationally or internationally.
Under the DPA 1998, organisations were deemed compliant until there was a breach. Under GDPR, organisations will need to have evidence that they are compliant from the start. This means that you, as a transport business, need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.
Dealing with employee data
As well as dealing with the data relating to their customers and other organisations, employers also need to have regard to personal information collected from those who work for them. Under the GDPR, employees as data subjects will have greater rights and, although many of the new requirements are not dissimilar to those laid down under the DPA 1998, they are generally expanded. In this context, employees will have, under the GDPR, the right:
to rectification of data that is inaccurate or incomplete
to be forgotten under certain circumstances (where the data are no longer necessary for the purpose for which they were originally collected, for example)
to be informed as to how their personal data will be used
to data portability (that is, to obtain and reuse their personal data for their own purposes across different services)
What do you need to do as a haulage operator?
You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As a haulage operator, your business can act both as “data controller” (if you hold drivers’ tachograph data for example) or “processor” which means you must register with the ICO.
Ensure your staff are trained on GDPR. Everyone working for you needs to have completed GDPR awareness training and have a good understanding of your policies and procedures. Refer to this General Data Protection Regulation — Staff Awareness Training Presentation to help you with your training needs.
Most public sector organisations are required to appoint a Data Protection Officer (DPO) but this is not mandatory for commercial organisations. The latter should nevertheless decide on a particular member of staff to be the contact for data protection queries. This person should be named on the organisation’s website and in internal training material, with their contact details provided, so that other employees, clients and users of the service know to whom their requests and/or complaints about data held by the organisation should be addressed.
Compile and retain a “catalogue” of all the information that your organisation holds and processes, often referred to as an Information Asset Register. This will include the following.
Is it personal or sensitive?
How is the information stored?
Is it shared or transported, and if so, how is this done?
Is the information included in a retention schedule?
How long are you keeping it for?
You can use this template of an Information Asset Register which you can download and fill in for your provision. Each set of boxes represents a different type of “asset”, for example:
drivers’ hours records
vehicle daily defect reports
Write a privacy notice and publish it on your website. This should include the following.
The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).
Who is collecting it and how (paper forms, electronic forms, etc)?
Why is it being collected?
How will the information be used?
Who will you share the data with (this may include, other companies within your group, government departments (HMRC, DfT, for example))?
Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?
Find a template GDPR Privacy Notice here. Update your data protection policy to ensure compliance with GDPR. You can use these templates: Access to Employee Data — GDPR Policy and the Data Protection — GDPR Policy.
Specimen GDPR data audit checklist
Download this GDPR Data Audit Checklist — Example to check and demonstrate your compliance with the GDPR.
There is also a blank form to use for your own records.