Itâ€™s only been recently, since some large, notable companies have received a sharp slap across the knuckles in the form of eye-watering fines, that data protection has become a real â€˜thingâ€™. Itâ€™s about to become an even bigger thing when new rules come into effect on 25th May 2018.
Protecting peopleâ€™s data is important and itâ€™s not difficult with the implementation of a clearly defined policy, understanding and simple measures. This blog outlines the basicsâ€¦
The purpose of the new GDPR rules is to strengthen the privacy rights of European citizens and make businesses more accountable for data protection. The General Data Protection Regulation (GDPR) applies not only to EU businesses, but to any business that offers goods or services to European consumers.
Failure to comply with the requirements could result in fines of up to â‚¬20 million, or 4% of total annual global turnover, making this a critical issue for many fleet and leasing managers.
What does the GDPR involve?
While businesses will recognize many of the principles enshrined in the GDPR, the regulation includes new measures and enhancements that will affect systems and processes across all business units.
The GDPR gives individuals enhanced rights regarding the processing of their personal data and imposes corresponding obligations on the organizations that collect data. Individuals will have the right to have their data deleted or transferred to alternative service providers, and will be able to sue for material and/or non-material damage arising from data breaches. They will also be able to participate in group litigation.
Among the changes coming into force in May 2018 are:
Â· the introduction of data protection impact assessments
Â· mandatory appointment of data protection officers for certain organizations
Â· more stringent rules for obtaining consent to collect and use personal data
Â· tighter rules for data controllers and data processors
Â· changes to data breach disclosure requirements
Â· the introduction of substantial fines for failure to comply with the GDPR
But how can you ensure compliance in an asset finance business based on vehicle fleets in which data is held in a variety of different management systems (quality, environmental, financial, asset, information)?
Todayâ€™s car has become a data collection device in its own right – and some of that data could identify individuals such as drivers, lessees or customers. The proliferation of online businesses also means identifying details, such as names, addresses, phone numbers, biometric particulars (and other attributes) are being collected, stored and processed more than ever.
That data needs to be secured and managed responsibly, which is what GDPR is about. The consequences of failing to do so, or of suffering data breaches, include prosecution, huge fines, embarrassment, financial losses and damaged reputations.
How to prepare for GDPR?
Given the financial and reputation risks involved, how do fleet and leasing managers ensure compliance and that they donâ€™t fall foul of regulators?
12 steps to take in preparation for GDPR
1) Awareness â€“ ensure decision-makers and key personnel within your organization are aware of the new laws and the impact they might have.
2) Audit – document the personal data you hold within your organization (and outside if you share it with third parties) and where it came from. An information audit is recommended for large organizations.
3) Communicate – review your current privacy notices against what is required within the new laws and make any necessary changes.
4) Individual rights â€“ check procedures to ensure they cover all the rights individuals have under the new laws. This should include how you will delete personal data when necessary or when asked to do so.
5) Access requests â€“ you need to review how you will handle access requests when they come from the individuals whose data you hold. The rights of individuals in terms of accessing their data are being strengthened. You will need to update your procedures to meet the new timescales and you will not be able to charge for such requests in the same way you can now.
6) Legality â€“ fully understand your legal basis for processing personal data. Why are you doing it? Look at the various types of data you process and why you process it. This is your legal basis for processing it. You must document this information as part of the new regulations.
7) Consent â€“ review how you are seeking, obtaining and recording consent and where you need to make any changes to be compliant under GDPR.
8) Children â€“ it is the responsibility of every business or organization that processes personal data to verify peopleâ€™s ages and gather consent from parents or guardians if they are minors. In some countries, young people can apply for provisional driving licences as young as 15, so there could be implications. You need to at least take steps to verify a driverâ€™s age.
9) Data breaches â€“ ensure you have the correct procedures in place to detect, report and investigate personal data breaches.
10) DPIA (data protection impact assessment) â€“ familiarize yourself with this, alongside how and when to implement it in your organization. Further information can be found on Information Commissionerâ€™s Offices websites.
11) Data Protection Officers â€“ designate a data protection officer or someone to take responsibility for it within your organization.
12) International â€“ determine which data protection supervisory authority you come under if you operate internationally and be sure to follow their guidance.
Itâ€™s important every fleet and leasing manager familiarizes him or herself with the new GDPR laws. The work involved now will pale into insignificance when compared with the amount of effort and financial resources required to correct a failure to comply or prosecution, should it come to that. There are many sources of guidance, some are listed here.
UK Information Commissionerâ€™s Office: https://ico.org.uk/
EU information on GDPR: http://bit.ly/1kidyy8
Article 29 working party developing EU guidelines: http://bit.ly/2gs7BE2
Data Protection Commissioner, Ireland: http://bit.ly/2gxsWN8
You can find a longer version of this article, written by our group managing director Mark Binks, within our latest Asset Finance Pricing Review.