GDPR for taxi fleets was a hot topic in our industry back in 2018. Indeed, every business sector going was churning out advice on how to prepare for GDPR compliance ahead of the EU directive coming into effect. It took centre stage as the buzzword of the time. GDPR, Brexit, Covid…something else always comes along! The thing is, however, that while the mass hysteria, and subsequent GDPR information overload, has dissipated, the General Data Protection Regulation itself is going nowhere.
Taxi fleets still need to comply with GDPR – and this needs to be an ongoing business focus. Your taxi company may have prepared for GDPR effectively back in 2018, but are you sure you are still in compliance?
In this article we’ll look at a few areas that may have changed in your business over the last couple of years and which may need a bit of a GDPR sense-check.
Before we look at GDPR breach prevention for your taxi company let’s take a moment to remember why you want to stay GDPR compliant in the first place. Quite simply, failure to protect your customers’ personal data could put you out of business!!!
GDPR Fines and Enforcement Action against Taxi Companies
To date, the UK ICO has only imposed two fines for breaches of the GDPR – the most recent was £20m for British Airways. However, a couple of significant fines have been imposed to taxi and fleet companies by Supervisory Authorities within the EU – which should serve as a warning to taxi companies in the UK and Ireland.
- May, 2020 – the Finnish Data Protection Ombudsman issued a fine for €72,000. The fine was imposed for failure to conduct the appropriate risk assessments – data protection impact assessment (DPIA) – to identify the potential risks of installing a visual and audio surveillance system in its taxi’s, processing location data and automated profiling of customers for its loyalty programme.
- 2019 – the Danish Protection Authority issued a €160,000 fine for failure to adhere to the data minimisation principle of the GDPR – only collecting and retaining the data they required for the task. Although the company deleted the names of its passengers from records after 2 years, it did not delete other details from over 8.8m ride records – including telephone numbers.
GDPR Compliance for Taxi Fleets – What’s changed in your business?
If you don’t want to end up as a cautionary tale for other taxi companies, make sure you are now, and remain GDPR compliant.
There are several key areas that taxi fleets should consider as part of their data protection obligations – and these tend to relate to the use of technology installed within your fleet, the role of people and broader changes to the business landscape. So, if you’ve added any new tech to your operations or passenger offering, or introduced any new digital procedures, it is necessary to look at them through a GDPR lens.
With iCabbi as your Data Processor, you will be aware of the steps they take to protect YOUR Customer and Driver data. iCabbi provides you with a Passenger Data Protection Notice template when you sign the Data Processing Agreement. The template should be reviewed by your lawyers and data protection experts to ensure it is fit for your purpose but will serve to inform your Passengers as to what is being done with their Data in the booking system.
Let’s look at 5 areas of change that may impact your fleet’s GDPR compliance.
1. Dashcams / Recording Devices:
These are increasingly used by taxi fleets to monitor behaviour and enhance operations. If using these devices, however, it is important to think about whose personal data this impacts on, and what you are doing to protect it.
Passengers
As a fleet owner you have a responsibility to inform their passengers of the use of recording devices in vehicles – the nature of the recording (audio or visual?); is it continual recording or triggered in some way?; how are the recordings stored – in the vehicle, or transferred to the office? How long are recordings kept – especially in the event of an incident? A Privacy Notice should be visible to passengers in the taxi making them aware of this information.
Drivers
How do you communicate to drivers how the recording devices work? Are they formally trained so they answer basic questions from passengers? Is the driver included in the recording – even when the taxi has no passengers? – does this mean the driver is under constant monitoring from a performance point of view, or simply their safety?
When installing such technologies, you are required to conduct a risk assessment of the processing operation to identify (and address) any potential risks to personal data. This is called a DPIA – Data Protection Impact Assessment and is a legal requirement under the GDPR. Fines have been imposed on fleet companies for failing to run these assessments prior to installation and use. If you’ve brought in dashcams or similar devices since 2018 this may be an area to look at.
2. Vehicle Tracking:
Where vehicle tracking is used, it should be clearly documented what the purpose of the tracking is and what data is recorded. Is the driver tracked during working hours only, or could this be left on by accident? If only working hours, what data is collected as part of the tracking process – and could it result in the driver being continually monitored for performance, rather than just their safety?
If the car is owned by the driver, is tracking a condition of employment, or optional?
Has the driver been fully informed as to the legal basis of processing and has a policy been published relating to this – and shared with the driver?
Again, if the vehicle tracking system utilises personal data – and this should be individually categorised, then a DPIA should be conducted ahead of installation.
3. Taking Bookings
Have you formalised a process and trained office staff to take bookings and uploading onto the system?
Have you made any changes to how you take bookings, for example adding new booking channels like IVR or a new app? While booking automation through iCabbi looks after much of the booking process for you and this is data protected, it is important to also consider manual bookings in your GDPR checklist. If credit card payments can be taken over the phone, ensure that any credit card details are immediately destroyed… shredded – not just torn up and put in the bin!
Here’s a clever summary to show the path of a booking through the iCabbi system. It shows what happens to your customer data from booking to expiry.
4. Staff Training
Do you regularly train your staff on privacy related matters, cybersecurity and data protection? Think back to the last time you trained your team on GDPR… are all the same faces still knocking around or have you added new employees to your team… and not yet briefed them on your taxi company GDPR policy?
Are you confident your team would recognise a data breach if one did occur – and are they able to react to it in the appropriate way? Containment of a breach is key to minimising the risk to data subjects – and to prove that your company has a handle on their processing activities.
5. Brexit
If you thought Brexit would get your taxi fleet off the GDPR hook then you’re wrong. So, what will happen to UK fleets and GDPR when Brexit comes into effect on January 1 2021?
Just because the UK has left the EU (currently in the transition period), does not mean that the GDPR no longer applies. On the 23rd May 2018 (2 days prior to the GDPR becoming enforceable), the Data Protection Act 2018 was enshrined in UK Law. This will become the default data protection framework for the UK post-Brexit and will be known as the UK GDPR.
There are slight differences between the two documents (DPA 2018 / GDPR), but in principle businesses in the UK are still required to provide the same levels of protection to personal data they process. The GDPR is now viewed as a minimum entry level for the protection of personal data.
Need GDPR help for your taxi fleet?
If you would like to discuss your data protection policies, prepare or audit your GDPR compliance plan then you can contact me and the team at Privacy Helper via the iCabbi Marketplace.