• FOLLOW ACFO
  • Twitter
  • LinkdIn

Fleets must be on their guard over removal of vehicle OBD-II Port and GDPR impact

Fleets must be on their guard over removal of vehicle OBD-II Port and GDPR impact

Fleet managers have been warned to be wary of signing up to long-term telematics contracts that require the ‘plug and play’ technology to be plugged into vehicles’ onboard diagnostic-II (OBD) port, which are shortly expected to become obsolete.  

The warning comes from one of the UK’s most experienced fleet consultants, who is also advising fleet managers and their data management colleagues to implement policies and procedures to manage the robust deletion of information from in-car connected systems with next year’s introduction of the General Data Protection Regulation (GDPR).  

Marcus Puddy, who has a 30-year fleet industry career behind him and is managing director of Puddy Vehicle Solutions (PVS), said the OBD-II Port was originally intended as an access point for mechanics to gain vehicle diagnostic data. However, it had subsequently become the plug-in point for aftermarket devices, notably ‘track and trace’ telematics systems.
 

Amid growing vehicle connectivity and ever-increasing concerns about the management of so-called ‘big data’, notably with the May 25, 2018 implementation of GDPR, motor manufacturers are looking to make the OBD-II Port obsolete.  

Mr Puddy said: “The industry was first alerted to the risks and security of the OBD-II Port being used by telematics devices, when hackers gained control of a Jeep by using a plug-in dongle with mobile connectivity. 

“Since then at least one new car has been launched with no OBD-II Port and we know German motor manufacturers, as well as other major carmakers, are collectively discussing restricting access to this data stream whilst a vehicle is in motion. As a result, OBD-II Port access for ‘plug and play’ aftermarket technology could become obsolete on new models, possibly those launched in the next 12 months.  

“While that will not impact on contracts relating to ‘track and trace’ systems fitted to existing fleet vehicles, fleet and procurement managers who sign such deals expecting the technology to also be added to new company cars and vans in the future, may find they are paying for something that cannot be used. Managers need to think carefully before signing long-term ‘plug and play’ technology contracts.”  

He added: “Manufacturers’ decision to either remove the OBD-II Port from vehicles or restrict access to it through their own cloud-based solution behind a secure encrypted on-board technology could be viewed as both tackling security concerns, while also aiming to create a new revenue stream by selling vehicle data to third parties.”  

Furthermore, businesses must also be focused on managing data - and particularly the deletion of data - from vehicles ahead of defleet with the introduction of GDPR.  

Mr Puddy is advising fleet and data managers to remind company car and vans drivers of the importance of either manually deleting personal data from vehicles or, where fitted, using the ‘factory reset’ button.  

He said: “Connectivity is on the radar of fleet managers, but, in my experience, not the importance of data management and deletion, particularly in relation to GDPR where information is stored in a vehicle notably from satellite navigation devices, multi-media systems and smartphones.

“Managers must have in place processes where they can be assured that either drivers are deleting data ahead of vehicle defleet or their leasing, rental and remarketing company partners have robust policies and procedures in place to efficiently and effectively manage the deletion on the return of the vehicle.”  

GDPR builds on existing data protection legislation with a particular focus on digitalisation and technology. Core to the 1998 Data Protection Act are eight data protection “principles” and GDPR reforms those and introduces new “principles” of transparency and accountability with the ability to “prove consent” a significant pillar of the new regulations.  

Penalties for breaching the core “principles” of GDPR are potentially huge with a maximum fine for companies of €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is the higher. What’s more, while the financial cost of data breaches is potentially huge reputational damage of businesses misusing data or losing it must also not be under estimated.