The General Data Protection Regulation (GDPR) is a European Union regulation implemented on May 25 that requires organizations to inform users of its services regarding the personal data that it gathers of them and what the information will be used for. For multinational fleets, this means properly managing user data is more important than ever.
The GDPR not only applies to organizations that are EU based, but also to those outside of the EU if they offer services to, or monitor the behavior of, EU data subjects. So, with that, multinational fleets with operations in the union need to not only consider what their services provide for consumers, but also any personal information or data they receive in return. The same would also apply to the data it collects about company drivers. For example, being transparent about the driver information they possess, e.g. cellphone number, personal address, etc., and what it will be used for.
“I think this is an area too that fleets got to be mindful of. The rules under GDPR also apply to employees. It's not just a consumer facing requirement there,” said Greg Sparrow, senior VP and general manager of CompliancePoint, a privacy, security and compliance service company.
“What that really means is companies have to be clear, and conspicuous in what they’re collecting and why. That also would apply to the employees. You have to be able to give them or facilitate access to the information,” Sparrow said. “So if they want to look at it, they have the right to know what's being collected. If they want to update or modify it, if there are errors or things that need to be corrected, you have to be able to facilitate that.”
Ensuring GDPR Compliance
Under GDPR, the organization that is controlling what happens to user data is referred to as the controller. They are responsible for ensuring any third-party vendors they are sharing data with, or processors, are also compliant within their own GDPR rules. The processors are also responsible for the compliance of any other third-party they then interact with, which, if they do, would be referred to as sub-processor.
For example, a fleet leasing company based out of Europe would be the controller for a multinational fleet that has operations in the European Union; this fleet would be referred to as the processor. This is because the fleet leasing company is asking for details about the fleet’s drivers as a way to help them manage the fleet.
“Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets the requirements of the GDPR. Processors are required to process personal data in accordance with the controller's instructions,” according to the Global Data Hub.
If the multinational fleet, in turn, utilizes the services of a fuel card company, the fleet would become the controller, because the fuel card company would be processing data on the fleets behalf, said an anonymous global fleet manager. The fuel card company is providing the service, processing the data, and getting contact details and various information.
“A controller must ensure that data is transferred in a secure manner and in accordance with the Data Protection Legislation (DPL),” the anonymous fleet manager said, as it relates to his organization. “Where data transfer to non-EEA countries takes place, the controller has further obligations, for instance, the need to have Standard Contractual Clauses in place. Hence, we require our vendors to adopt strict information security measures in order to not to be in breach of the DPL.”
Sparrow added that companies can view the GDPR in a few different ways as it pertains to how they choose to engage with their customers and the position they take regarding the privacy of their data. Organizations need to be mindful of how they secure and protect the information they collect as well as their data privacy framework including their governance layer and how that is incorporated into business operations.
He noted that the definition of personal identifiable information is broader under GDPR than traditional U.S. regulation.
The Importance of Compliancy
According to a study from TrustArc, which surveyed 600 IT and legal professionals responsible for privacy at companies required to meet GDPR compliance, approximately 80% companies in the U.S. and EU were not GDPR compliant a month after the May 25th deadline.
However, Alphabet International GmbH, a business mobility provider in Europe, Australia and China, said the GDPR is one of the most complex data protection legislations established to date, meaning guidance and interpretation on different requirements from supervisory authorities are expected.
“So at this point, if you don't have something in place or you really haven't started down that path, it really is a function of risk management, and essentially how willing is the business to accept the risk of a potential fine whether it could be an issue. Some organizations are more willing to accept that risk than others,” Sparrow added.
Companies with operations, customers or employees in EU who are discovered as not being compliant to the new rules of GDPR may be fined up to €20 million (over $25 million) or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
“It's really all about giving the individual access and empowering them with information on what's being collected, why it's being used, and then obviously, empowering them with certain rights if they want to opt-out of those types of data processing,” Sparrow said.
For the corporations that might have some concern regarding GDPR, Sparrow suggested assessing the data that the company has on its employees, and also what was compiled through vehicle data.
“What I would recommend organizations or fleets that are looking to it to kind of wrap their arms around this would be, one, to start with a data map,” said Sparrow. “Meaning, understand what information you collect from these vehicles, from the employees, where that goes, what those data elements are, what you're using it for, what third-parties is it being given to.”
Besides the adherence to the principles related to processing personal data, like lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality, a corporation should run a continuous data protection compliance program to get and say compliant with the GDPR, according to Alphabet International.
Justifying the usefulness of the data is also important for companies to assess.
“Making some intelligent business decisions around what data is being kept and retained,” Sparrow said. “And is there clear business justification for that?”