Helping fleet managers deliver GDPR
Feature
With the GDPR now in effect, are you really prepared for the changes? Mark Sugden, Secretary for the Association of Driving Licence Verification, highlights how the new legislation affects fleets and how the ADLV has been working with the DVLA to help overcome the hurdles
The GDPR, which came into effect 25 May, is an enormous change in how personal data is held, maintained, consented to, managed and audited. Unsurprisingly, one of the areas of major impact is the fleet management sector, where personal driver records are checked regularly. This means both government and commercial organisations ‘know who their drivers are’ with the benefits for road safety and risk reduction clearly defined.
With this need for regular driver licence checking, fleet managers have felt overwhelmed by the prospects of meeting the new GDPR deadlines both in general terms and by the DVLA guidelines. Fortunately, trade association the The Association For Driving Licence Verification (ADLV) has been at the forefront of helping fleets to comply.
Indeed, the ADLV has been working extremely closely with the DVLA on the implementation of GDPR (General Data Protection Regulation) for the ADD service. This puts the Association in a strong position to explain the ramifications of GDPR clearly and concisely to fleet and procurement managers.
By helping to explain the GDPR rules for its members’ fleet customers, the ADLV believes that discussions will help to define the industry standard going forwards.
Guidance
In short, the ADLV will now support members with advice on such topics as the content of Privacy Notices, how the data will be used and how long information can be held. They will offer guidance on the required audit trails, what to do with the data afterwards, people’s right to be forgotten, training issues and the potential changes in the mandate and the associated terms and processes.
Terry Hiles, the ADLV’s deputy chair recently noted that, “GDPR is going to present a challenge to a worryingly large number of businesses which have hitherto assumed that sitting beside the driver to look at their licence details using the DVLA’s service for individuals is sufficient evidence of consent. There are new standards of consent that the ADLV can advise on. However, deciding the new level of consent is one aspect of the challenge – the other is the sheer scale and timing of the change.”
The GDPR based changes recently announced by the DVLA, mean that over two million drivers will be required to grant new driving licence data permission to their fleet operator. Only by complying with the new rules, will fleet drivers now be properly checked. However, the DVLA changes will come into effect by a stated deadline of 25 August 2018, just three months from the introduction of GDPR.
The new GDPR regulation will apply to all private and public sector organisations processing personal data and receiving driver information from the DVLA. All employers and their fleet / procurement managers, who are legally obliged to check a drivers’ entitlement to drive, will be under enormous pressure to hit this looming August deadline. With this in mind, and aiming to ease the burden, ADLV member companies, who facilitate online licence data checking, are contacting their customers to advise on the new compliance requirements.
ADLV members along with all their customers must now satisfy themselves that the new fair processing declaration complies with the new data protection legislation and is permitted by the driver. ADLV members will advise customers on the full implications of the incoming changes and how they can ensure effective compliance with the new DVLA requirements.
A major change
These changes are a huge shift for the DVLA and indeed the driving licence checking industry as a whole. From a compliance perspective, all employers and third parties who are responsible for licence checking will need to be able to demonstrate that the new fair processing declaration has actually been authorised by the driver. This will need to be stored in a highly secure fashion and in a way that can be easily audited and accessed by the DVLA to ensure compliance with the new GDPR legislation.
This is good news for ADLV members as they are all ISO27001 accredited – and they will welcome this as it raises the bar for security and data processing within the fleet industry and related sectors.
Importantly, those companies that were not data-secure will now have to adhere closely to these new standards; which is good for data protection and the licence checking industry as a whole.
Commenting on the GDPR changes, Malcolm Maycock, Chair of the ADLV commented: “The security of data and compliance in accordance with legislation, whether it is Data Protection regulations or current work related road safety legislation, is a core business function of ADLV members. Whilst this is a mammoth task in a short timeframe, our members are wholly committed to ensure that all processing is correct and complies fully with the new GDPR legislation. The good news is that the new Data Processing Declarations will continue to remain valid for three years from the date permission is actually granted.
“GDPR is by far the most significant data challenge that fleet managers have needed to adjust to. However, the ADLV will, of course, be advising all our members on how to prepare fully and professionally for the significant changes ahead.”
For her part, Donna Jones, senior commercial data sharing manager at DVLA welcomed Malcolm Maycock’s comments adding: “We welcome the advice that is to be given to ADLV members. The DVLA has been undertaking a detailed review of all its contracts in relation to GDPR, including the ADD contract which we will rollout in readiness for the new legislation.”
So what originally looked like a potentially insurmountable and onerous administrative hurdle is now seen as very manageable thanks to the ADLV, with the support of the DVLA.
The extra good news is that by the end of the year, data management standards will be greatly improved as will data security. All in all, that has to be a good outcome all round.
