The BVRLA on Preparing for GDPR

The new General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 marking the biggest overhaul of data protection since the introduction of the current Data Protection Act (DPA) in 1998.

Seen as more of an evolution than a revolution, GDPR is effectively a more detailed and robust version of the current regulation, placing greater emphasis on the rights of individuals and imposing tougher penalties on those organisations who fall short of meeting their data protection obligations.

Those found to be in breach of the new rules could face fines of 2% of annual turnover or 4% of annual worldwide turnover for more severe infringements.

The GDPR applies to data processing carried out by organisations operating within the EU as well as organisations outside the EU that offer goods or services to individuals in the EU. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR so businesses should not let the prospect of Brexit delay preparations.

The British Vehicle Rental and Leasing Association (BVRLA) recently published findings from its Fleet Technology Survey, revealing that around half of BVRLA members and fleet managers felt ready for GDPR. 54% claimed that their company is clear about its responsibilities under GDPR and 52% claimed that their company has a clear strategy regarding its collection and use of driver and vehicle data.

The Information Commissioner’s Office (ICO) understands the importance of having an internationally consistent approach to data protection regulation, stating: “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals.”

Any changes made to business processes to ensure compliance will not be made in vain as any UK version of the regulation introduced post-Brexit is likely to be aligned to GDPR.

The BVRLA offer some advice on the changes that GDPR brings:

Some key differences

Under GDPR, there will be more emphasis on the rights of individuals both in terms of consent and access to their own data. Should an individual ever make a claim, the burden of proof will fall to the organisation so it will be essential for fleet operators to keep audit trails to evidence that specific and unambiguous consent was freely given. This should be in the form of a statement or an affirmative action. It will no longer be acceptable to gain consent via passive ‘pre-ticked’ boxes and inaction.

Another area of change is that the new rules place emphasis on shared responsibility, making everybody who handles and processes data liable, not just data controllers. Everybody in the supply chain will need to understand their obligations to ensure compliance and this is going to require a change in mindset as people across the industry have different views on who they think is liable for data. This was reflected in the BVRLA’s study which shows that 36% of members and 41% of fleet managers agreed that everybody had responsibility for data protection. The rest placed the responsibility at the door of either the lease company, manufacturer or fleet manager. There is clearly a big job to do to ensure compliance across the industry.

Data security

As the automotive industry continues to transition from a sector driven by mechanics to one driven by electronics and software, the issue of data and cyber security will become an increasing concern.
As connected and autonomous vehicles become more prevalent on our roads, it will be crucial for manufacturers to consider security requirements in the vehicle’s design and it will be equally as important to protect our infrastructure.

The main cyber security threats to connected and automotive vehicles include loss of control, loss of data, leaking or sharing of data, denial of service or malicious manipulation of software, network outage or disruption of power supply and even interception or hijackings. All of which would be disastrous.

The BVRLA welcomed government’s recent publication of a set of principles to ensure that a tougher approach is taken to cyber security throughout the automotive industry.
Keaney said: “It is potentially an area of huge vulnerability if businesses do not take steps to be properly protected so there is likely to be an increase in the employment of tech-savvy cyber security professionals to embed government’s recommended cyber security principles right across the automotive industry. Data protection is crucial not only for individuals and organisations, but also for the industry and the wider UK economy.”

Data access and ownership

As part of the BVRLA’s Fleet Technology Survey, the association explored views from drivers with regards to data and connected vehicles, and the message was clear. When it comes to sharing data about themselves such as how they drive or where they drive, there is little appetite to give consent. However, the picture is very different when it comes to sharing diagnostic data to help with early diagnosis of faults or to help flag warranty or safety issues. 95% were happy to share data if it helped to diagnose or prevent faults, 93% were happy if it enabled the automatic alerting of a breakdown company and 82% were happy if it helped to identify safety and warranty issues.

Around seventy percent of BVRLA members and fleet managers believe that vehicle manufacturers have an obligation to provide vehicle data, with 86% saying that they should not have to pay for it.
Seventy-nine percent of respondents said they were concerned that vehicle manufacturers would restrict access to telematics data to further their own business goals. Eighty-nine percent of them believe that manufacturers should allow them to install third party telematics devices, provided that they meet agreed security standards.

BVRLA Chief Executive, Gerry Keaney said: “Connected vehicle data is rapidly becoming the new currency of the fleet sector and will drive many business models in future.

“Our responsibility is clear. The BVRLA will play a lead role in helping the fleet sector work with government and the wider automotive supply chain to ensure that all parties share data in an open, secure and fair way. By doing this, we can make sure that businesses and consumers continue to enjoy a competitive choice of suppliers for fleet management, aftermarket and mobility services.”

Author: BVRLA https://www.bvrla.co.uk/