ACFO sets out actions for fleets to comply with GDPR rules

A five-point action plan has been outlined by ACFO for fleet professionals to adopt to ensure compliance with the General Data Protection Regulation (GDPR), which takes effect on 25 May.

Fleet organisation ACFO held its second webinar, which was supported by TomTom Telematics, on GDPR, and says now is the right time for fleet decision-makers to review and check all data collection and whether all information gathered is required.

TomTom Telematics claims that GDPR is set to be the “most important change in data privacy regulation in 20 years”, but Beverley Wise, sales director UK and Ireland, believes it is “an evolution, not a revolution” by bringing information protection into the digital age with processes that were “open and transparent”.

ACFO chairman John Pryor commented: “Fleets will already hold a lot of personal data. Now is the time for fleets to review and check whether they actually need all the current data being received? Where does the data originate and is it secure, either on computer or in locked storage? This is not new as all fleets should be doing this automatically.”

During the webinar, billed as ‘GDPR: What every fleet decision-maker needs to know’, Ms Wise said there was no problem with collecting data that was for a “legitimate business interest”. That, for example, could include the capture and processing of mileage for travel management and business expense claims, fuel data capture and the use of driver behaviour data from in-vehicle telematics.

ACFO’s five-point action plan for members is:
- Know what personal data is held including: Drivers’ name, home address, contact telephone numbers, driving licence details, National Insurance number, payment, bank and family details.

- Who has access to the data? GDPR is not “just fleet”. Many employers have working parties established to confirm what data they have and how it is used, but if that is not the case then check who can access the data that is held for fleet purposes.

- What data is passed to suppliers/contracts by fleet professionals? Partner companies must be asked and confirm what processes they have in place for managing data and be able to show secure data treatment. Most suppliers will be well advanced, but if ‘no answer’ is obtained action must be taken. Contracts should state what data fleets will supply and the frequency and the purpose for which it will be used by suppliers.

- What to tell drivers and make sure they understand where the data is, where it is being used and what is happening with it. For example, if is difficult to order/deliver a car if the supplier is not provided with name and address details.

- Deleting data loaded on to vehicle systems. Satellite navigation systems and mobile phones contain a wealth of data. It is vital to remind drivers ‘delete’ the data or reset to ‘factory setting’ ahead of defleet of a company car or the return of a hire vehicle.