GDPR: what hauliers need to know about the General Data Protection Regulation
New data protection laws that come into force in 2018 will apply to the UK regardless of the result of post-Brexit negotiations.
Concerns over data privacy have risen in recent years following major breaches at respected blue-chip companies such as TalkTalk, JP Morgan and Sony.
Much of the data we produce is driven by new digital habits – online shopping and social media interactions – as well as more traditional sources such as bank account details, insurance and medical information.
In response to the increasing complexity of handling such data, both online and offline, and maintaining privacy, the EU parliament approved the General Data Protection Regulation (GDPR) in April 2016. It will be directly applicable to all EU member states in May 2018 and replaces the Data Protection Directive. It is designed to harmonise data privacy laws across Europe and “empower all EU citizens’ data privacy”.
The GDPR applies to not only EU-based organisations but also organisations located outside the EU if they offer goods or services to, or monitor the behaviour of, EU residents.
This includes companies that hold personal data, which is classed as any information that can be used to directly or indirectly identify a person. It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Key changes aside from the increase in territorial scope include ensuring the request for personal data consent is made in an intelligible and easily accessible form and that breach notification becomes mandatory and must be disclosed within 72 hours to the relevant supervisory authority. There is also enhanced data transparency, right to access and right to erasure.
Organisations can be fined up to 4% of annual global turnover, or €20m (£17.8m), for breaching GDPR. This can be imposed for the most serious infringements such as not having sufficient customer consent to process data.
There is a tiered approach to fines, so a company can be fined 2% of its turnover for not having its records in order; not notifying the supervising authority and data subject about a breach; or not conducting an impact assessment.
What do haulage firms need to know about the General Data Protection Regulation?
“The likelihood that this regulation will impact the haulage industry is high,” says Mike Hayward, head of transport and regulatory at Woodfines solicitors. “The regulation will apply to all collectors and processors of data. It will affect all organisations that collect, store, copy, transfer personal data or deal with requests for confidential information. Organisations currently subject to the Data Protection Act 1998 will most likely be subject to the GDPR.”
Hauliers must note the condition on valid consent – where it must be explicit rather than implied for the need for data to be collected and for the purpose of that data.
Hayward says: “Any hauliers that subcontract work, for instance driver licence checks or tachograph analysis, to other companies may not be released from the burden of compliance. The regulation places an additional obligation that would mean a haulier would need to ensure their contractors are also compliant.
“Another new practical step hauliers may need to consider is the new accountability requirement the regulation imposes. As well as the obligation to provide clear and transparent policies, the regulation may require a haulier to be able to demonstrate its compliance.
He adds: “If an organisation has more than 250 employees, records of personal data processing activities also need to be recorded. Any information that would be able to be used in the identification of an individual would be classified as personal data and would be protected under the regulation.”
The affected data
There are a great number of things a haulage firm might possess that could be classed as personal data. This includes driving licences; telephone numbers; driver qualification records; customer details; records of employee performance; tachograph readings; CCTV images and bank account details.
Paul Wormald, partner at Hawsons Chartered Accountants, says telematics data must also be considered as personal. “The growth of in-cab technology is increasing and hauliers must protect against any breaches,” he says. “Hauliers also need to be aware of payroll data especially if they outsource it to a third party.”
Organisations with core activities that require monitoring or processing data will have to employ a Data Protection Officer (DPO). It is the DPO’s role to advise staff of their obligations, monitor compliance and co-operate with the relevant authorities. Failure to appoint a DPO when required to do so runs the risk of substantial fines.
“There is no requirement for all organisations to employ a DPO, but it is good practice for hauliers to ensure all staff are aware of their responsibilities and understand what constitutes a breach of data,” says Hayward. “At a minimum, all organisations should ensure that a satisfactory internal breach reporting procedure is put in place.”
Wormald advises hauliers to review the requirements of the regulations and carry out a gap analysis of where their current procedures are weak. “Operators should make a senior member of their teams responsible for compliance as well as ensuring they have the budget set aside to cope with additional costs. Staff must also be trained and told what is expected of them when it comes to collecting and processing personal data. This regulation is coming and, as we see with the fines that might be sanctioned, it has teeth.”
Brexit effect: will the UK be required to follow GDPR?
The EU says Brexit will not stop the introduction of the GDPR. The EU’s GDPR website states: “If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit.
“If your activities are limited to the UK, then the position after the initial exit period is much less clear. The UK government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the UK government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.”
Hayward says the government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR.
“It is being enacted on 25 May 2018 regardless of the Brexit negotiation results. These will be the rules that hauliers will be obliged to follow,” he says. “It should be noted that member states have the discretion to enact national provisions that impose requirements even more burdensome, so organisations should be mindful of any obligations not included in the regulation that they must still adhere to.”
By David Craik
TC cuts NR Parsons Transport's O-licence after drivers caught tailgating
Traffic commissioner (TC) for Wales Nick Jones has cut NR Parsons Transport’s fleet by a quarter for three months after its drivers were convicted of tailgating cars and committing drivers’ hours offences.
The TC sent out a firm warning that HGV drivers will face strong action if they are caught tailgating.
Jones said: “Tailgating is potentially dangerous in any circumstances, but tailgating in an HGV is especially serious and if brought to the attention of a traffic commissioner, strong albeit proportionate action will be taken.”
At a driver conduct hearing and public inquiry in Cardiff earlier this month, Jones said the Bridgend-based firm’s three drivers had been able to commit drivers’ hours offences, including falsification of records, because transport manager Neil Parsons did not have “sufficient control over the drivers’ hours records compliance.”
The NR Parsons Transport had its O-licence curtailed from 16 vehicles and 16 trailers to 12 vehicles and 12 trailers for three months from September 2017.
Jones said Parsons had lost his repute and banned him from holding the position until he requalifies by passing fresh examinations.
Drivers Alan Reynolds, of Kington, and Robert Lloyd, also based in Kington, both admitted tailgating during a the driver conduct hearing. Both were seen tailgating cars in September, while driving NR Parsons Transport HGVs, by a DVSA traffic examiner as the vehicles travelled from Hereford to Letton.
Following an investigation, the agency also reported Reynolds and Lloyd for committing drivers’ hours records offences, which resulted in Reynolds being prosecuted for 15 offences of knowingly making a false record. He was given a six-month prison sentence, suspended for 12 months, by Worcester Crown Court. He is also required to undertake 160 hours of unpaid community service, and pay costs and a court surcharge totalling £1,790.
The TC added an extra month to the professional driving bans of two HGV drivers who were reported for tailgating.
After the conduct hearing, the TC revoked Reynolds’ professional driving licence and disqualified him from holding or applying for a vocational licence until 1 March 2019.
Lloyd was convicted of aiding, abetting, counselling or procuring the making of a false record and fined by Merthyr Tydfil Magistrates’ Court. The TC also revoked his professional driving licence and disqualified him from holding or applying for a vocational licence until 1 September 2018.
A third driver, David Clarke, of Kingstone, was convicted and fined for a number drivers’ hours offences, including knowingly making a false record and using another driver’s card to record his work. Clarke’s professional driving licence was revoked by the TC and he is disqualified from holding or applying for a vocational licence until 1 May 2018.
DVSA chief executive Gareth Llewellyn said: “DVSA’s first priority is to protect you from unsafe drivers and vehicles. There’s no excuse for driving while tired or driving dangerously. I am very supportive of the action taken by the traffic commissioner in this case and the advice he has provided to the industry.”