Panel discussion: GDPR

While fleet operators are accustomed to complying with the Data Protection Act, they will need to prepare for some changes in the way they obtain, process and manage information once the General Data Protection Regulation (GDPR) comes into force on 25 May.

The GDPR is the biggest change to data privacy legislation in over two decades. It aims to protect citizen’s personal data across Europe, so that all countries operate to the same standards. It also takes into account technological changes in the past twenty years, such as the dominance of smart phones and constant connectivity. The GDPR therefore covers the data gained from vehicle technology – which could pose some challenges to fleets.

The AA’s Stuart Thomas explains: “The European Commission has ruled that data generated in a vehicle is the property of the driver and no one else. This clarification of ownership is going to add a significant compliance burden to the fleet manager’s role.

“These rules will apply to fleets which use connected car technology. Fleet operators and managers must from this point provide evidence that consent has been given by all employees to collect data.”

Advice for compliance
The penalties for non-compliance of GDPR are significant, and while most fleet operators will have good data management practices in place, they should review policies in light of the changes.

Stuart Thomas urges fleet managers to keep an audit trail to show that active consent in the form of a statement or written form is given. “This form should state whether or not the data will be used for private or business usage, and with whom it will be shared,” Stuart adds.

With regards to transparency, Stuart says: “Managers must be clear with their drivers about why they are collecting vehicle journey data. Is it to reduce accident rates across your fleet? To improve efficiency and cut costs? Or perhaps all three. We recommend that this is information is laid out in a connected car data usage policy which is shared with drivers.”

Dan Regan from Lightfoot urges fleets to think carefully about their data and whether it is actually useful or if they could stop collecting it, as well as if it could be misused. He says: “I would say one of the biggest GDPR concerns for fleets operating connected vehicles is how the collected data is stored. What we’ve found at Lightfoot is that meticulous consideration to what data is collected and how it is stored can be used to create significant barriers to any data breach or misuse of data. I would recommend that businesses undergo a similar evaluation of data collection and storage.”

ACFO has recently held a webinar on GDPR compliance, and has issued a five point action plan for fleets to work to. This includes knowing what personal data is held, knowing who has access to it, knowing how suppliers use data, what to tell drivers, and what to do with data loaded on vehicle systems.

Regarding suppliers’ use of data, John says: “Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. Most suppliers will be well advanced, but if no answer is obtained, action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.”

Before de-fleeting a company car or returning a hire vehicle, John advises that the data loaded on to vehicle systems is deleted. He says: “Satellite navigation systems and mobile phones contain a wealth of data. It is vital to remind drivers to ‘delete’ the data or reset to ‘factory setting’.

Dan Regan believes that while the GDPR is heavily documented, it is still a grey area for many. He says: “Nobody really knows how far they have to go to mitigate risk, and so from our experience, we recommend speaking to an expert. It comes at a cost, but can your business afford the cost of missing something and failing to report a data breach? The fines under the GDPR legislation can be significant.”

Vehicle hacking
Connected cars are as vulnerable to hacking as anything else linked to the internet. In 2015, two security experts proved they could hack into a Jeep Cherokee and control its most vital functions remotely. Then in 2016, Mitsubishi recalled at least 100,000 cars after hackers remotely turned off the alarm system, drained the battery and controlled the lights.

Realising the scope of the problem, last year the Department for Transport announced new guidance for engineers developing smart vehicles to incorporate tougher cyber protections to help prevent hacking.

Stuart Thomas comments: “Vehicle hacking poses a potentially serious threat to drivers and fleets. It represents a new frontier in vehicle security, and these criminals are becoming increasingly sophisticated. However, the industry is well prepared to face this threat. Manufacturers are investing billions to make cars safer and more secure.”

To avoid falling victim to vehicle hacking, Stuart urges fleets to ensure their vehicle software is up to date and to provide security training for all drivers to make them aware of the threat of leaving their vehicle in insecure hands. “Ensure you are fully aware of the security features and capability of your fleet’s connected car technology, and if you are not, ask your provider for a full breakdown,” Stuart advises.

Relating hacking to data protection, Dan Regan says: “At Lightfoot, we’ve been working with cyber security experts, Securious, as part of an Innovate UK project to investigate and maximise the level of cyber security in our connected vehicle technology. In terms of valuable lessons learnt, what we’d share with fleets to help them tackle hacking is two-fold. Firstly, the mindset at every stage of choosing and specifying a connected vehicle solution should be to question whether the data collected is actually needed. If you think you can cope without it, don’t collect it.

“Secondly, don’t forget the human element. Yes, hacking can be a serious threat. But sometimes, the more serious threat comes from lack of business protocol, or lack of awareness by an individual. The hacking event that’s keeping your MD up at night might well be visions of an IT genius sat behind a computer somewhere in the world, hacking into your connected vehicles. The reality, however, is that it’s the folder containing personal information about a driver that’s just been dropped on the pavement by someone in your operations team,” Dan adds.

Autonomous vehicles
There is a concern that self-driving vehicles are more susceptible to hacking and cyber attack due to their connected nature and because they have no driver to override systems. But the risk of cyber attack is a major part of the feasibility studies of autonomous vehicles so that safeguards can be put in place.

ACFO’s John Pryor commented: “We are at the beginning of the journey towards connected and autonomous vehicles. There are numerous research projects and trials taking place in the UK and around the world and vehicle hacking and cyber security are among the issues being addressed as part of those projects.
Fleet professionals currently have many other issues to focus on and the reality is that while autonomous vehicles maybe the future, they are some way from being deployed on the frontline of fleet operations.”

Dan Regan points out that connectivity, while susceptible to cyber risks, also acts as a safeguard because it allows you to track and monitor self driving vehicles. He says: “One of the anxieties embedded in the public domain is concerns over the ability for artificial intelligence to self-learn and re‑write its own code and behaviour. As unlikely as this doomsday type scenario is, this of kind of event could easily go undetected in a non-connected autonomous vehicle. So, as unlikely as that fear is in becoming reality, the connected world should give us some kind of peace of mind that we can monitor and track these new scary machines we call autonomous vehicles.”