GDPR How GDPR Impacts Multinational Fleets The GDPR not only applies to organizations that are based in the European Union, but also to those out-side of the EU if they offer services to, or monitor the behavior of, EU data subjects. BY ANDY LUNDIN T he General Data Protection Reg-ulation (GDPR) is a European Union regulation implemented on May 25 that requires organi-zations to inform users of its services re-garding the personal data that it gathers of them and what the information will be used for. For multinational leets, this means properly managing user data is more im-portant than ever. he GDPR not only applies to organiza-tions that are EU based, but also to those outside of the EU if they o fer services to, or monitor the behavior of, EU data sub-jects. So, with that, multinational leets with operations in the union need to not only consider what their services provide for consumers, but also any personal in-formation or data they receive in return. he same would also apply to the data it collects about company drivers. For ex-ample, being transparent about the driv-er information they possess, e.g. cellphone number, personal address, etc., and what it will be used for. “I think this is an area too that leets got to be mindful of. he rules under GDPR also apply to employees. It’s not just a con-sumer facing requirement there,” said Greg Sparrow, senior VP and general manager of CompliancePoint, a privacy, security and compliance service company. he GDPR deals with data associated with individuals, not business data. It re-quires organizations to communicate to in-dividuals when it collects data from them and when it changes how the data will be later used. he May 25th deadline result-ed in myriad companies sending out up-dates about their privacy policy to users of their services. “What that really means is companies have to be clear, and conspicuous in what The GDPR deals with data associated with individuals, not business data. It requires organizations to communicate to individuals when it collects data from them and when it changes how the data will be later used. they’re collecting and why. hat also would apply to the employees. You have to be able to give them or facilitate access to the infor-mation,” Sparrow said. “So if they want to look at it, they have the right to know what’s being collected. If they want to update or modify it, if there are errors or things that need to be corrected, you have to be able to facilitate that.” Ensuring GDPR Compliance Under GDPR, the organization that is controlling what happens to user data is re-ferred to as the controller. hey are respon-sible for ensuring any third-party vendors they are sharing data with, or processors, are also compliant within their own GDPR rules. he processors are also responsible for the compliance of any other third-par-ty they then interact with, which, if they do, would be referred to as sub-processor. For example, a fleet leasing company based out of Europe would be the con-troller for a multinational fleet that has operations in the European Union; this fleet would be referred to as the pro-cessor. This is because the fleet leasing company is asking for details about the fleet’s drivers as a way to help them man-age the fleet. “Data controllers may only appoint data processors which provide suicient guar-antees to implement appropriate techni-cal and organizational measures to en-sure processing meets the requirements of the GDPR. Processors are required to Q4 2018 I AUTOMOTIVE FLEET 9 PHOTO: ©ISTOCKPHOTO.COM/KAMISOKA
Automotive Fleet Dec 2018: 9
