Fleet companies must comply with new EU data protection rules

The GDPR will impact how leasing and rental companies collect and store the personal data of drivers

A new EU regulation will fundamentally change the way leasing, rental and fleet management companies can hold data on drivers.

The EU General Data Protection Regulation (GDPR) represents the most important change in data privacy regulation in 20 years. The GDPR is designed to harmonise data privacy laws across Europe, and to protect and empower the data privacy of all EU citizens. It is a cornerstone of the Digital Single Market (DSM), which is one of the priorities of the European Commission.

The regulation was adopted by the EU Parliament in April 2016, and comes into force on 25 May 2018. It applies to all companies that process the personal data of people living within the EU, regardless of where the company is based and where it actually stores and processes the data.

Personal data is any data that can be used to directly or indirectly identify the person. It includes information such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

From next May, the EU will strengthen the conditions for consent, and companies will no longer be able to use long, complicated, and difficult to understand terms and conditions. The GDPR insists that granting consent for data to be collected and processed, “must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language full of legalese.”

Moreover, it must be as easy for people to withdraw their consent as it is to give it. This extends to ‘Data Erasure’, the right for people to be forgotten and have their data erased.

Failure to comply with the GDPR could lead to heavy fines of up to 4% of annual global turnover or €20 million (whichever is greater).

Global software provider, Sofico, says the GDPR will have repercussions for automotive finance, leasing, fleet and mobility companies. And given the length of time it takes for software releases and updates, there's a limited time for companies in the fleet sector to audit, and if necessary amend, their data collection and processing systems in order to comply with the new regulation before the May 2018 deadline.

Fleet implications

The GDPR applies to all existing data held, with no limitation in scope on the time when it was collected, explained Bram Wallach, product management, Sofico.

He sought to reassure companies in the car leasing, rental and fleet management sector that there is rarely much personal data being collected. There may, however, be exceptions for companies that collect telematics data, which identifies drivers’ locations.

“The scope of personal data being collected by our customers is fairly limited and not in the same categories as you would expect to see in a hospital environment with health records,” said Wallach.

In addition, the majority of the data collected by fleet companies is a contractual necessity, which would prevent a driver from opting out of having his or her data held.

“In many cases in our industry sector, the grounds for the lawful processing of data is called contractual performance under GDPR Article 6, meaning that there is some sort of a contract, be it a finance contract, leasing contract or rental contract,” said Wallach.

“Anything along those lines requires the necessary processing of personal data to fulfil the contract in order to provide support and know which is driving the asset. So in many cases there is no way the individual could object to that, at least during the term of the contract.

Afterwards it’s a different story. That’s where the biggest impact is for our customers, where most of them had a practice of holding on to data for indefinite periods of time. They might need to pay more attention to their data retention policy, and at some stage remove data from their systems, or at least put it into an anonymiser where there are no grounds for processing any more.”

Manufacturer captive banks, selling leasing and finance through their dealers, may have to pay more attention to the GDPR, especially in terms of how they use the data for direct marketing purposes, added Wallach.

“The whole point of the GDPR is that it makes companies think more about their data processing, how they protect privacy and how they protect personal data,” said Wallach. “It’s much more of a risk-based process. The key point of the GDPR is that the accountability is now with the data processor and controller to demonstrate compliance.

“Companies now have to review their internal processes, data flows, the systems where master data is being kept, and how it is being replicated to other systems. Are they proportionately collecting data or are they collecting data that might not be directly necessary for the purposes of our processing.”