GDPR: What does it mean for Businesses using GPS Tracking.

It’s been two years since these regulations went into effect. Here’s what you need to know.

GPS Tracking Systems that enable businesses to track their employees and fleet vehicles in real-time revolutionized the way businesses operate.
For over a decade GPS-based services have been assisting companies with the ever-increasing demand for information. However, this process also involves gathering sensitive personal information on employees which the EU considers dangerous and open to misuse.
As of May 25, 2018, the EU General Data Protection Regulation(GDPR) will come into effect in full force. The EU GDPR replaces the Data Protection Directive which was in use since 1995. The new law is designed to improve the data privacy laws across Europe; to protect the personal data of the EU citizens and help companies regulate the information they gather about their workforce as well as their customers.

What is The EU GDPR?

The General Data Protection Regulation is a comprehensive data protection law, which expands the existing privacy rights of EU citizens and places strict regulations on businesses that gather and use personal data for providing services. The GDPR emphasizes on the “processing” specifically; on how an organization or an entity collects, stores and uses any data regarding the individuals living in the UK. The GDPR will reform the eight data protection principles in the Data Protect Act that was in effect since 1998 in the United Kingdom. The law will also introduce new rules about transparency, accountability and the proof of consent in the matters of how personal data is gathered and stored. Empowering EU citizens as the owner of their personal data is key to the GDPR. Under the new regulation, the concept of personal data is very broad and includes any information that can be used to identify an individual. The EU GDPR aims to unify privacy laws across the continent and keep enterprises on a short leash regarding the use of personal data.

Known fact: The financial consequences of GDPR can be severe

If there were questions about how strenuously the EU would enforce their new rules, those have now been answered. The financial consequences of failing to comply with the GDPR can be steep, as we’ve seen with recent fines. According to the law, penalties run up to €20 million, or 4% of worldwide annual revenue, whichever is greater.

This past January, Google was fined €56 million for failing to get informed consent from customers for the use of their personal data. It can be argued that Google attempted to get proper consent, though the language was spread out over multiple pages of content. It’s apparent that, to regulators, it’s more important to follow the spirit of the law — truly helping individuals understand how you’re using their personal data — than technically complying with the letter of the law.

But it also appears that good-faith efforts count in the eyes of regulators. An unnamed German social media platform was fined for data breaches that exposed customer data, including passwords.

Is Your Company Ready?

Any company that operates within the EU borders or acquires data from individuals living in EU countries requires to be compliant with the GDPR. As it is seen from the massive rise in the fines, the EU is serious about how a company handles personal data. It is vital for companies to revise their existing policies to accommodate the changes GDPR brings. There are certain steps to follow in order to make a business compliant with the new regulation. Consent is one of the main focuses of the new law; fleet businesses benefit from the personal data gathered from the GPS Tracking devices installed in their employees’ car so the first step should be to inform the drivers about the new law and receive their consent regarding the use of their sensitive data. As per the GDPR, every company is required to assign a data protection officer who is in charge of monitoring and managing the data acquired from GPS tracking devices. The DPO also has a responsibility to prove that there is no conflict of interest regarding data protection. Every department that has access to the employee data or has some control over the data flow must be ready to collaborate and have a comprehensive knowledge of how the company manages its data practices. The General Data Protection Regulation demands greater transparency and control over the information companies process and exchange with third parties. Companies are expected to verify compliance whenever required and to show that a business is in line with the new regulations, business owners and managers need to make sure the access to the personal data is limited, and all the protective measures has to be taken.

Our company clearly understands the importance of the law and supports its implementation. Therefore, we have been making steps to prepare the platform and our partners as well:

Xfleet servers are located at the secure data centre with Tier III Uptime Institute certification.

The servers are protected from various kinds of vulnerabilities.

The software has been regularly updated to keep the private data security level high.

Our company exploits modern data encryption methods, such as: end-to-end, TLS.

All the employees have been trained how to spot potential data threats and take security measures.

You can always specify for how long the private data of their users will be stored. You are able to set the storage period while creating customer tariff plans in your Admin Panel. After this period, the data will be automatically deleted.

Summary and recommendations

Here is the list of recommendations our Partners may use in order to secure private data properly and make this process clear to the customer.

  • Update your Privacy Policy and Terms of Service. Add the link into the Admin Panel to display your policy and terms on the login page of your service (like it was mentioned above)

  • Collect consent from users to process their personal data

  • Train your employees about the ways they should handle Personal Data of your users

  • Inform your users on how they can browse their personal data and swifty contact you in case they need to request any changes to their personal information.

  • Make sure that you follow your customer requests and react fast on deleting or making changes to the personal data

  • Manage history storage period of your customers by creating tariff plans in Admin Panel.

  • Add SSL certificate to your monitoring service domain name. SSL encryption is an established way to encrypt and protect web traffic between your users and your service, eliminating the possibility that someone with malicious intent can intercept the web traffic and possibly get some sensitive information about your users.

If you still have any questions concerning the impending regulation and steps you should take for being ready, please contact our sales department.