What is the GDPR?

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and replaces the current Data Protection Act 1998 (DPA).

Why do you need to take action?

The GDPR gives enhanced rights to individuals, referred to as data subjects, and places increased obligations on businesses.

The new rules are designed to make sure that people’s personal information is protected — no matter where it is sent, processed or stored, nationally or internationally.

Under the DPA 1998, organisations were deemed compliant until there was a breach. Under GDPR, organisations will need to have evidence that they are compliant from the start. This means that you, as a transport business, need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.

Dealing with employee data

As well as dealing with the data relating to their customers and other organisations, employers also need to have regard to personal information collected from those who work for them. Under the GDPR, employees as data subjects will have greater rights and, although many of the new requirements are not dissimilar to those laid down under the DPA 1998, they are generally expanded. In this context, employees will have, under the GDPR, the right:

  • to rectification of data that is inaccurate or incomplete

  • to be forgotten under certain circumstances (where the data are no longer necessary for the purpose for which they were originally collected, for example)

  • to be informed as to how their personal data will be used

  • to data portability (that is, to obtain and reuse their personal data for their own purposes across different services)

  • of access.

What do you need to do as a haulage operator?

  1. You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As a haulage operator, your business can act both as “data controller” (if you hold drivers’ tachograph data for example) or “processor” which means you must register with the ICO.

  2. Ensure your staff are trained on GDPR. Everyone working for you needs to have completed GDPR awareness training and have a good understanding of your policies and procedures. Refer to this General Data Protection Regulation — Staff Awareness Training Presentation to help you with your training needs.


    Most public sector organisations are required to appoint a Data Protection Officer (DPO) but this is not mandatory for commercial organisations. The latter should nevertheless decide on a particular member of staff to be the contact for data protection queries. This person should be named on the organisation’s website and in internal training material, with their contact details provided, so that other employees, clients and users of the service know to whom their requests and/or complaints about data held by the organisation should be addressed.

  3. Compile and retain a “catalogue” of all the information that your organisation holds and processes, often referred to as an Information Asset Register. This will include the following.

    • Is it personal or sensitive?

    • How is the information stored?

    • Is it shared or transported, and if so, how is this done?

    • Is the information included in a retention schedule?

    • How long are you keeping it for?

    You can use this template of an Information Asset Register which you can download and fill in for your provision. Each set of boxes represents a different type of “asset”, for example:

    • drivers’ hours records

    • vehicle daily defect reports

    • maintenance records

    • drivers’ licences

    • expenses claims.

  4. Write a privacy notice and publish it on your website. This should include the following.

    • The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).

    • Who is collecting it and how (paper forms, electronic forms, etc)?

    • Why is it being collected?

    • How will the information be used?

    • Who will you share the data with (this may include, other companies within your group, government departments (HMRC, DfT, for example))?

    • Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?

  5. Find a template GDPR Privacy Notice here. Update your data protection policy to ensure compliance with GDPR. You can use these templates: Access to Employee Data — GDPR Policy and the Data Protection — GDPR Policy.

Specimen GDPR data audit checklist

Download this GDPR Data Audit Checklist — Example to check and demonstrate your compliance with the GDPR.

There is also a blank form to use for your own records.

Last reviewed 10 December 2019