Fleets must be on their guard over removal of vehicle OBD-II Port and GDPR impact
Fleet managers have been warned to be wary of signing up to
long-term telematics contracts that require the ‘plug and play’ technology to
be plugged into vehicles’ onboard diagnostic-II (OBD) port, which are shortly
expected to become obsolete.
The warning comes from one of the UK’s most experienced
fleet consultants, who is also advising fleet managers and their data
management colleagues to implement policies and procedures to manage the robust
deletion of information from in-car connected systems with next year’s
introduction of the General Data Protection Regulation (GDPR).
Marcus Puddy, who has a 30-year
fleet industry career behind him and is managing director of Puddy Vehicle
Solutions (PVS), said the OBD-II Port was originally intended as an access
point for mechanics to gain vehicle diagnostic data. However, it had
subsequently become the plug-in point for aftermarket devices, notably ‘track
and trace’ telematics systems.
Amid growing vehicle connectivity and ever-increasing
concerns about the management of so-called ‘big data’, notably with the May 25,
2018 implementation of GDPR, motor manufacturers are looking to make the OBD-II
Mr Puddy said: “The industry was first alerted to the risks
and security of the OBD-II Port being used by telematics devices, when hackers
gained control of a Jeep by using a plug-in dongle with mobile connectivity.
“Since then at least one new car has been launched with no
OBD-II Port and we know German motor manufacturers, as well as other major
carmakers, are collectively discussing restricting access to this data stream
whilst a vehicle is in motion. As a result, OBD-II Port access for ‘plug and
play’ aftermarket technology could become obsolete on new models, possibly
those launched in the next 12 months.
“While that will not impact on contracts relating to ‘track
and trace’ systems fitted to existing fleet vehicles, fleet and procurement
managers who sign such deals expecting the technology to also be added to new
company cars and vans in the future, may find they are paying for something
that cannot be used. Managers need to think carefully before signing long-term
‘plug and play’ technology contracts.”
He added: “Manufacturers’ decision to either remove the
OBD-II Port from vehicles or restrict access to it through their own cloud-based
solution behind a secure encrypted on-board technology could be viewed as both
tackling security concerns, while also aiming to create a new revenue stream by
selling vehicle data to third parties.”
Furthermore, businesses must also be focused on managing
data - and particularly the deletion of data - from vehicles ahead of defleet
with the introduction of GDPR.
Mr Puddy is advising fleet and data managers to remind
company car and vans drivers of the importance of either manually deleting
personal data from vehicles or, where fitted, using the ‘factory reset’ button.
He said: “Connectivity is on the radar of fleet managers,
but, in my experience, not the importance of data management and deletion,
particularly in relation to GDPR where information is stored in a vehicle
notably from satellite navigation devices, multi-media systems and smartphones.
“Managers must have in place processes where they can be
assured that either drivers are deleting data ahead of vehicle defleet or their
leasing, rental and remarketing company partners have robust policies and
procedures in place to efficiently and effectively manage the deletion on the
return of the vehicle.”
GDPR builds on existing data protection legislation with
a particular focus on digitalisation and technology. Core to the 1998 Data
Protection Act are eight data protection “principles” and GDPR reforms those
and introduces new “principles” of transparency and accountability with the
ability to “prove consent” a significant pillar of the new regulations.
Penalties for breaching the core “principles” of GDPR are
potentially huge with a maximum fine for companies of €20 million or 4% of
total worldwide annual turnover of the preceding financial year, whichever is
the higher. What’s more, while the financial cost of data breaches is
potentially huge reputational damage of businesses misusing data or losing it
must also not be under estimated.