Vehicle tracking and telematics solutions put a mass of information at fleet managers’ fingertips - but is it legal to store and process all this data? Find out in our blog.
The benefits of vehicle tracking and telematics solutions are well established across the UK automotive industry - putting masses of information at fleet managers’ fingertips to improve efficiency, reduce costs and drive a better quality of customer service.
But is there such a thing as too much data?
For many would-be buyers, it’s difficult to find a satisfactory answer to that question. Confusion over the laws and regulations around telematics data collection acts as a common barrier to investment, and the introduction of GDPR in May 2018 - with its new, more severe penalties for data protection infractions - hasn’t helped that.
So what are the laws around vehicle tracking and telematics in the UK? Find out more about fleet managers’ legal obligations below.
Get more guidance on choosing a telematics supplier in our free guide.
Is telematics data subject to GDPR?
While we’ve yet to see a major investigation or fine under GDPR that involves the use of vehicle tracking devices, most experts agree that telematics data counts as personal data and therefore falls under the regulation’s remit.
In 2014, for example, out-law.com argued that:
“Telematics data can constitute personal data, and therefore fall subject to data protection laws, on the basis that it records the activities of individual drivers, or a number of individuals.
“UK insurers, and other companies that handle telematics data, are therefore obliged to act in accordance with the Data Protection Act [since updated in line with GDPR]. Where personal data has been anonymised, data protection laws no longer apply.”
With this in mind, would-be telematics buyers need to understand the full range of requirements under GDPR when it comes to storing and processing personal data.
Establishing a lawful basis to store and process telematics data
Firstly, before you can collect telematics data at all, GDPR requires that you have a lawful basis to store and process that data. This needs to be established and documented at the outset of your relationship with a prospect, customer or employee, and needs to fall within one or more of six possible categories.
The best-known legal grounds for storing and processing personal data under GDPR is consent from the data subject (that is, the person to whom the data applies) - but it’s not the only possible lawful basis.
In particular, fleet managers may wish to familiarise themselves with articles 6(b) and 6(f):
“Processing shall be lawful only if and to the extent that at least one of the following applies:
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In short: even without the consent of the driver, you may be able to argue that telematics data collection is necessary to fulfil a contract (such as a service contract), or to protect your business’ legitimate interests (asset protection or fraud prevention, for example) - unless the data subject has their own interests, rights and freedoms that override yours.
The ICO offers an interactive tool to help organisations navigate the different lawful bases for data processing, which is a good starting point to understand the contexts in which each applies - although, if in doubt, we recommend you seek legal advice on your own specific business case.
Meeting the other key GDPR principles for telematics data
Establishing a lawful basis for storing and processing personal data belongs to the first of seven key principles set out under GDPR (“Lawfulness, fairness and transparency”). The full list appears in article 5 of the regulation, and a discussion of each can be found in the ICO’s Guide to the GDPR. Some of the other principles for would-be telematics buyers to bear in mind include:
- Lawfulness, fairness and transparency: the scope of data collected needs to be fair and reasonable under the stated lawful basis, and the data subject needs to be kept informed and not misled about its use
- Purpose limitation: The purposes for storing and processing data should be stated from the outset, and the data should not be used for any other purpose without consent
- Data minimisation: Organisations should only collect as much data as they need to fulfil their stated purpose - not more
- Storage limitation: Organisations should only store data for as long as they need it - not longer
- Integrity and confidentiality: Organisations must ensure they have security measures in place to protect personal data against “unauthorised or unlawful processing and accidental loss, destruction or damage”
Again - if in doubt, we recommend you seek legal advice if unsure about your obligations or the obligations of your suppliers.
Upholding data subjects’ rights to telematics data
GDPR grants a range of new rights to data subjects that organisations may need to uphold in order to use vehicle tracking and telematics solutions in a compliant way. They include the right to be informed about how their data is collected and used, the right to access that data, and - in some circumstances - the right to request its erasure.
For this reason, a key consideration when you invest in a telematics solution may be whether or not you can easily surface all the data held on a particular person should they request it.
Is my telematics provider responsible for data protection?
Finally, some fleets and dealerships may question whether they have legal liability under GDPR when their telematics data collection, storage and processing is handled by a third party.
The answer is that GDPR includes specific stipulations for supplier relationships to ensure that both parties (known as the data controller and data processor) have a responsibility for protecting personal data. So, even if you choose to outsource telematics on an operational level, you still need to ensure your suppliers are compliant with GDPR too. For more information, see here.
Is telematics data subject to the Data Protection Act?
You may find that existing guidance on the laws around vehicle tracking and telematics in the UK focus on the Data Protection Act 1998 - which, prior to 25 May 2018 GDPR enforcement date, was the UK’s national data protection law (and an implementation of GDPR’s predecessor, the 1995 Data Protection Directive).
Since then, the Data Protection Act has been updated in line with GDPR and implements the GDPR within the UK. You can find out more about the differences here.
It’s important to note that both are enforceable under UK law - and the GDPR will remain that way for the foreseeable future as part of the EU (Withdrawal) Act 2018.
Choosing a vehicle tracking and telematics solution?
Make sense of the telematics market with our free guide, 5 things to consider when choosing a telematics supplier.