The data protection stakes are higher than ever and all employees should bear some of the burden for ensuring organisations remain compliant.
Given the impending introduction of the General Data Protection Regulation (GDPR), devolving all responsibility to a single data controller is unlikely to be sufficient if companies are to remain compliant.
Instead, cultural change is required in order to properly get to grips with data protection requirements.
The potential consequences for failing to take appropriate action are substantial. When GDPR comes into force in May, the maximum fine for infringements will stand at 20 million Euros or 4% of turnover, whichever is greater.
The fleet supply chain poses a particularly high risk, due to the sheer amount of data it encompasses and the number of different parties responsible for processing and handling that data. The regulations place responsibility on all parties so it is vital to ensure every link is secure.
Within that chain there are obvious data streams, such as payroll, but there are also more obscure streams, including everyday emails. In this context, a breach could occur as a consequence of something as simple as copying someone into an email thread that contains personal data they do not have consent to view.
What is covered by the GDPR?
So, where do you start when attempting to get to grips with the new regulations?
Firstly, it is important to understand that GDPR is primarily concerned with protecting personal data, defined as ‘any information relating to an identified or identifiable natural person’.
This includes all the usual categories of personal data but also covers a range of further aspects, such as:
- Opinions, as well as facts
- Email addresses
- Job performance
- Interview notes
The categories of data covered are wide-ranging and explicit consent is required for the sharing of ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.
Develop an action plan
An important first step in making sure you are compliant comes from mapping all data flows across the business.
This means identifying all data flows in and out of the business, as well as the various organisations or individuals that process information at each point in the supply chain.
It is then necessary to understand and document the legal basis for each data flow. Explicit consent from the person whose data is being shared is perhaps the strongest justification, but data can also be processed under certain conditions relating to the fulfilment of contracts or legal requirements.
Taking all this into account, it is important to establish whether any data flows will require new consent to ensure they are compliant with regulations. Where personal data is transferred to or received from another organisation – for example, a supplier or customer – a written contract must be in place, covering all the requisite details outlined by the GDPR.
The Information Commissioner’s Office (ICO) has also published useful guidance on the different elements that should be included in the contract wording. It can be tempting to try and pass liability further along the supply chain; however, given the concise timeframe, a more pragmatic approach of reciprocal indemnity against liability may allow you to gain agreement from all parties using a consistent set of contract terms.
Scrutinise every link in the chain
It is worth considering that many of these suppliers will, in turn, have secondary suppliers so contracts must also confer the same level of focus to these organisations.
Therefore, it can be useful to consider the risk in terms of the number of people that could be affected. For example, a file containing 10,000 records might be transferred to a primary supplier, such as a breakdown provider, but if this supplier sub-contracts a specific breakdown incident to a recovery agent, a further data transfer is required to pass on the data record relevant to the incident. The risk is significant in the first transfer and reduces greatly in the second transfer, although it is still present.
Another commonly overlooked aspect of the data flow is where the supply chain gathers information directly from a data subject, and then passes this information back through for further processing. A prime example of this would be in the field of accident management, where an incident record captures data from a driver, and passes this through to the fleet manager. In these circumstances, the data controller to processor relationship is reversed, so contracts will need to reflect this.
However, drawing up compliant contracts is often a costly and time-consuming exercise that could be avoided by instead eliminating or reducing the amount of data that is exchanged. At Fleet Operations, for example, we control and process a lot of personal data related to our customer’s employees, who are the drivers of company vehicles.
We have taken steps to remove the personal data relating to drivers that is provided on some data feeds by instead using only a unique identification code that is not shared with anyone outside of our organisation. Suppliers can then record a ‘user’ against the vehicle on their systems, but have no way of identifying that person. It is important to consider this may result in additional administration, as incidents that require a supplier to contact or nominate a driver directly, such as notices of intended prosecution, will need to be referred and processed internally.
Winning hearts and minds
Beyond the practical steps that need to be taken to meet the GDPR requirements, organisational culture is key.
Even with the appropriate structures and procedures in place, no one person is responsible for ensuring breaches do not occur so it is important to gain buy-in from all employees and make sure everyone is clear about their duties.
This can only happen through effective communication. Regular email bulletins, workshops and briefings can help to demystify the regulations for staff and ensure data protection stays front of mind throughout everyday tasks.
Once you are clear about what changes are required at an organisational level, communicate these clearly to staff and outline their roles and responsibilities as part of the new structures and processes. Reviews should be conducted on an ongoing basis to ensure employees remain clear about what is required of them and are fulfilling these requirements.
By creating a culture that identifies the safeguarding of personal data as a priority, underpinned by strong organisational policies on data protection and retention, your business will be in a much stronger position to adapt to the changes in the law.
by Brian Hardwick, Head of Operations.