html5 bootstrap template

Share this news on:

GDPR | 23 MARCH 2018

ACFO publishes five-point plan to help fleet professionals comply with new GDPR rules

ACFO, the UK’s premier fleet decision-makers’ organisation, held its second webinar, which was supported by TomTom Telematics, on GDPR, and says now is the right time for fleet decision-makers to review and check all data collection and whether all information gathered is required.

Furthermore, it is critical to engage with all employees - company car and vans drivers – as well as employees who drive their own cars on business, the so-called ‘grey fleet’ and occasional drivers.

GDPR is claimed by TomTom Telematics to be the “most important change in data privacy regulation is 20 years”, but was also claimed by Beverley Wise, sales director UK and Ireland, to be “an evolution, not a revolution” and bringing information protection into the digital age with processes that were “open and transparent”.

From that point of view, Ms Wise said it was “business as usual”, with ACFO chairman John Pryor highlighting: “Fleets will already hold a lot of personal data. Now is the time to review and check whether fleets actually need all the current data is received? Where does the data originate and is it secure, either on a computer or in locked storage? This is not new as all fleets should be doing this automatically.”

During the webinar, billed as ‘GDPR: What every fleet decision-maker needs to know’, Ms Wise said there was no problem with collecting data that was for a “legitimate business interest”. That, for example, could include the capture and processing of mileage for travel management and business expense claims, fuel data capture and the use of driver behaviour data from in-vehicle telematics.

Nevertheless, GDPR put individuals/employees at the “front and centre” so they needed to be fully informed and advised about what data was captured, how and where it was being used and by whom.

Mr Pryor said: “In the build-up to GDPR introduction it is a good time to review policy and ensure drivers are fully aware of their obligation. The easy tick box is perhaps a thing of the past.”

ACFO’s five-point action plan for members is: 

  • Know what personal data is held including Drivers’ name, home address, contact telephone numbers, driving licence details, National Insurance number, payment, bank and family details.
  • Who has access to the data? GDPR is not “just fleet”. Many employers have working parties established to confirm what data they have and how it is used, but if that is not the case then check who can access the data that is held for fleet purposes.
  • What data is passed to suppliers/contracts by fleet professionals? Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. Most suppliers will be well advanced, but if ‘no answer’ is obtained action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers. ·
  • What to tell drivers and make sure they understand where the data is, where it is being used and what is happening with it. For example, if is difficult to order/deliver a car if the supplier is not provided with name and address details.
  • Deleting data loaded on to vehicle systems. Satellite navigation systems and mobile phones contain a wealth of data. It is vital to remind drivers ‘delete’ the data or reset to ‘factory setting’ ahead of deflect of a company car or the return of a hire vehicle.

Mr Pryor said: “Fleet managers will already be doing much of what ACFO is recommending because it is common sense and good business practice. But GDPR brings more business focus.

“GDPR is process driven and while much of what is being asked for is already being done by fleets under the new rules it is important to have policies in place.”

Personal data must be kept protected from unauthorised and unlawful access, use and loss under GDPR and, in answer to a webinar question on obtaining drivers’ permission, Ms Wise said: “Permission from employees is not required, but if it was refused then it is a bigger company policy issue. GDPR is about collecting data for legitimate business interest and controlling that data.”

Data recorded by in-vehicle telematics is perhaps the area of most concern for many fleet professionals as it captures information related to individual driver behaviour and technology, but said Mr Pryor: “If vehicles have telematics fitted, fleet managers should be clear on what the information is used for and who receives it. This will be more sensitive if a driver says they do not want it used. In this case, the company needs to be clear and managers should get internal guidance on the position.”

GDPR builds on existing data protection legislation with a particular focus on digitalisation and technology. Core to the 1998 Data Protection Act are eight data protection “principles” and GDPR reforms those and introduces new “principles” of transparency and accountability with the ability to “prove consent” a significant pillar of the new regulations.

Penalties for breaching the core “principles” of GDPR are potentially huge with a maximum fine for companies of €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher. What’s more the reputational damage of businesses misusing or losing data could be significant.

The webinar will be available as a download from the ‘members’ area’ of the ACFO website - - and is accompanied by a toolkit containing relevant guides and resources.

Back to News List