Concerns over data privacy have risen in recent years following major breaches at respected blue-chip companies such as TalkTalk, JP Morgan and Sony.
Much of the data we produce is driven by new digital habits – online shopping and social media interactions – as well as more traditional sources such as bank account details, insurance and medical information.
In response to the increasing complexity of handling such data, both online and offline, and maintaining privacy, the EU parliament approved the General Data Protection Regulation (GDPR) in April 2016. It will be directly applicable to all EU member states in May 2018 and replaces the Data Protection Directive. It is designed to harmonise data privacy laws across Europe and “empower all EU citizens’ data privacy”.
The GDPR applies to not only EU-based organisations but also organisations located outside the EU if they offer goods or services to, or monitor the behaviour of, EU residents.
This includes companies that hold personal data, which is classed as any information that can be used to directly or indirectly identify a person. It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Key changes aside from the increase in territorial scope include ensuring the request for personal data consent is made in an intelligible and easily accessible form and that breach notification becomes mandatory and must be disclosed within 72 hours to the relevant supervisory authority. There is also enhanced data transparency, right to access and right to erasure.
Organisations can be fined up to 4% of annual global turnover, or €20m (£17.8m), for breaching GDPR. This can be imposed for the most serious infringements such as not having sufficient customer consent to process data.
There is a tiered approach to fines, so a company can be fined 2% of its turnover for not having its records in order; not notifying the supervising authority and data subject about a breach; or not conducting an impact assessment.
“The likelihood that this regulation will impact the haulage industry is high,” says Mike Hayward, head of transport and regulatory at Woodfines solicitors. “The regulation will apply to all collectors and processors of data. It will affect all organisations that collect, store, copy, transfer personal data or deal with requests for confidential information. Organisations currently subject to the Data Protection Act 1998 will most likely be subject to the GDPR.”
Hauliers must note the condition on valid consent – where it must be explicit rather than implied for the need for data to be collected and for the purpose of that data.
Hayward says: “Any hauliers that subcontract work, for instance driver licence checks or tachograph analysis, to other companies may not be released from the burden of compliance. The regulation places an additional obligation that would mean a haulier would need to ensure their contractors are also compliant.
“Another new practical step hauliers may need to consider is the new accountability requirement the regulation imposes. As well as the obligation to provide clear and transparent policies, the regulation may require a haulier to be able to demonstrate its compliance.
He adds: “If an organisation has more than 250 employees, records of personal data processing activities also need to be recorded. Any information that would be able to be used in the identification of an individual would be classified as personal data and would be protected under the regulation.”
There are a great number of things a haulage firm might possess that could be classed as personal data. This includes driving licences; telephone numbers; driver qualification records; customer details; records of employee performance; tachograph readings; CCTV images and bank account details.
Paul Wormald, partner at Hawsons Chartered Accountants, says telematics data must also be considered as personal. “The growth of in-cab technology is increasing and hauliers must protect against any breaches,” he says. “Hauliers also need to be aware of payroll data especially if they outsource it to a third party.”
Organisations with core activities that require monitoring or processing data will have to employ a Data Protection Officer (DPO). It is the DPO’s role to advise staff of their obligations, monitor compliance and co-operate with the relevant authorities. Failure to appoint a DPO when required to do so runs the risk of substantial fines.
“There is no requirement for all organisations to employ a DPO, but it is good practice for hauliers to ensure all staff are aware of their responsibilities and understand what constitutes a breach of data,” says Hayward. “At a minimum, all organisations should ensure that a satisfactory internal breach reporting procedure is put in place.”
Wormald advises hauliers to review the requirements of the regulations and carry out a gap analysis of where their current procedures are weak. “Operators should make a senior member of their teams responsible for compliance as well as ensuring they have the budget set aside to cope with additional costs. Staff must also be trained and told what is expected of them when it comes to collecting and processing personal data. This regulation is coming and, as we see with the fines that might be sanctioned, it has teeth.”
The EU says Brexit will not stop the introduction of the GDPR. The EU’s GDPR website states: “If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit.
“If your activities are limited to the UK, then the position after the initial exit period is much less clear. The UK government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the UK government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.”
Hayward says the government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR.
“It is being enacted on 25 May 2018 regardless of the Brexit negotiation results. These will be the rules that hauliers will be obliged to follow,” he says. “It should be noted that member states have the discretion to enact national provisions that impose requirements even more burdensome, so organisations should be mindful of any obligations not included in the regulation that they must still adhere to.”
By David Craik
