Many logistics companies collect information on drivers, including their location, speed and how long they’ve been travelling. However, when the EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018, this practice will have to change, as telemetrics will be considered personal data and subject to the Regulation’s requirements.
Article 4 of the GDPR defines personal data as any information relating to an identified or identifiable person. It adds:
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
As well as expanding the definition of personal data, the GDPR clamps down on the way organisations can collect and store data. That’s not to say that logistics companies won’t be able to use telemetrics any more. Rather, they need to be a lot more careful about how they do so.
Organisations can still track data
Many companies currently use implied consent to justify monitoring but, under the GDPR, employees cannot give consent to an employer because of the inherent imbalance of power. In other words, consent can’t be “freely given” if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear for their job (or at least fear losing favour among their bosses) if they don’t consent to having a tracker placed in their vehicle.
Organisations should therefore seek one of the five other lawful grounds for processing data. For logistics companies, contract of employment and legitimate interest will cover most necessary processing activities.
For example, if organisations pay their drivers based on how long they drove for, they are within their rights to monitor this information. Similarly, they can monitor an employee’s location to make sure they are en route to their destination.
Whatever lawful ground logistics companies use, they need to:
- Tell employees what data they are collecting and for what purpose;
- Use the data only to fulfil its original purpose;
- Securely store and encrypt records and logs wherever possible; and
- Give individuals the right to request a copy of any data in which they are clearly identifiable. If the request is valid and permissible, the organisation must supply the individual with the data within 30 days of the validation.
You need an audit trail
If you don’t meet these requirements, you could be subject to a class action lawsuit from drivers, warned Ashley Winton, a partner at law firm Paul Hastings.
Speaking at the British Vehicle Rental and Leasing Association Fleet Technology Congress, Winton said: “There is no longer a requirement for monetary loss before you can bring a claim so if you suffer distress you can bring a claim.
“Imagine you have a couple of hundred thousand fleet drivers. Suddenly they’re all very distressed about being tracked or the information about where they have been being disclosed to a third party. That would be quite an interesting case for a union.”
He added: “If someone makes a claim against you, you will lose unless you can show you have processed the data correctly. […] You need that audit trail otherwise people’s claims against you will be difficult. That audit trail is really important, that functionality you really do need in online systems.”
Audit trails are an essential part of any organisation’s GDPR preparations. You need to know the type of data being held, where the data resides, who ‘owns’ the data, who has access to the data and with whom the data is shared.
Our GDPR data flow audit service helps you manage that process. Our experts will conduct a thorough audit of the personal data in your organisation and give you a data flow map. This helps you to respond promptly to employees’ requests for copies of their personal data and put in place measures to reduce the risk of an information security breach.