General Data Protection Regulation (GDPR) and your business
The EU Regulation becomes UK law in May 2018. It will massively expanding the Data Protection Act and change your responsibilities to staff and customers.
- The use and storage of personal data of staff and customers (including images)
- The personal data security relating to products and services you sell – either as a provider of a 3G live-view facility AND/OR in informing customers of the implications of equipment they purchase from you and their GDPR compliance.
Key aspects of GDPR
N.b Company can be substituted with agency/organisation/other body that receives personal data Definition of ‘personal data’
“any information relating to a person that can be identified, directly or indirectly e.g by name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Definition of controller
“a company that holds data about individuals (staff & customers)”
Definition of processor
“ a company that provides any ‘live-view’ service through a third-party provider OR sells products or services that might be used in this way must be able to provide a GDPR compliance interpretation for some of the products that sold”.
Both these aspects will need to be checked across 3 dimensions –
- Recording (how the information is collected by your company)
- Storage (how the information is stored at and by your company)
- Mobile (how the information is used when active and sent to/through 3rd parties).
Compliance for small companies
Still not clear whether companies employing less than 250 people will need to comply, BUT sole traders are subject to higher thresholds of privacy even now than Limited companies, so better to put things in place than be caught out.
If nothing else, you will have to consider the following:
- Know where all Personal Data is stored
- Develop processes to ensure all PD is documented and accounted for
- Ensure process and systems can handle subject requests
- Change IT and security policies to comply with GDPR
- Create relevant privacy notices
- Change sales and marketing processes to ensure PD is not mishandled
- Get consent from all customers. Double opt-in necessary for you to market to them
- Inform all staff about GPDR and implementation
- Check that your privacy and website cookie consent policies are transparent in compliance
Third party considerations
- Ensure all third parties that process customers PD meet compliancy standards
- Document process for how third parties will use your PD
- Find new third-party suppliers/partners if they are not GDPR compliant
- And this is just the start. This is by no means a comprehensive list of all activities required to meet our own GDPR compliance.
Data and video capture on the road
The use of telematics within the fleet industry generates information on employees from their vehicles. This information will fall under the new regulation.
Moving forward, it will be essential for any business that runs one or a fleet of vehicles to keep audit trails to evidence that specific, non-ambiguous, consent was freely given by the drivers for example – for their image/voice to be captured or their location to be tracked AND you must make sure that the servers supporting that data are also compliant.
You will need:
- Specific consent to hold their data
- Be able to provide the individual with the data held about them
- Be able to destroy their data if they ask
- Be able to ensure their data is protected in the places where it is held
The Information Commission has produced two checklists to help you ensure you are ready for GDPR in May. Take some time to look through them and decide which one is for you. If you use tracking systems and recordable devices you will need to complete the ‘controller’ checklist. You will need to check with your supplier that the processing of that data is also compliant.
Checklist for data controllers https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-controllers/
Checklist for data processors https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-processors/
Passenger vehicles and recordable devices
If you are to use inward facing dash-cams you will need to let people know that you may be recording them. It is not yet clear what guidance the Information Commission is going to provide for passenger carrying vehicles. Currently, it is sufficient to have a warning sign that footage and conversations may be recorded, but with the onus on positive consent in the GDPR, this may be insufficient.