The EU’s new General Data Protection Regulations (GDPR) will come into effect in May 2018 and are set to affect the way data is stored, used and passed on. Saad Ahmed speaks to Sofico, Addleshaw Goddard, and RSM about the upcoming changes, and how they are likely to affect the leasing and fleet industries.

It’s the biggest change in data protection law in 20 years,” Toni Vitale, legal director, data and information team at Addleshaw Goddard tells Leasing Life.

The EU has put the issue of data firmly back on the agenda with the General Data Protection Regulation (GDPR). Adopted in April 2016, the GDPR is the biggest overhaul in data protection law since the 1990s.

Much has changed in 22 years. When the original rules were conceived in 1995, the EU Data Protection Directive did not have to grapple with pervasive social media, ever-specialised personal data, and pinpointed individual location data as accurate as that which is now available. As the number of companies involved in the data chain has increased, so too has the risk of data leakage and excessive spread.

With the rules due to come into force on 25 May 2018, Leasing Life investigates the GDPR, unpicking what has changed from the old system, and how the updated regulations may affect the asset finance industry and its use of data.

Free movement of data

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“We always talk about free movement of people, and free movement of jobs, and free movement of capital. One thing that the GDPR helps to establish, by harmonising the laws everywhere, is free movement of data,” Vitale says.

A major driver behind the introduction of the GDPR by the European Commission is the development of what the institution calls the Digital Single Market. The aim is to harmonise policy around the storage and use of data throughout the EU, and allow both individuals and businesses to carry data across borders.

The GDPR will apply to all businesses that operate within the European single market, including those based in other jurisdictions.

The last piece of EU data legislation, the EU Data Protection Directive, was not as direct as next year’s GDPR regulations. Vitale says that unlike the GDPR, the previous legislation was given to states to implement in their own time, and, largely, in their own way. The UK’s domestic regulation in line with the rules was introduced in 1998, in the form of the Data Protection Act.

According to Vitale, the brief was “more or less, ‘implement these principles into your legislation’. Countries took several years to introduce that. We didn’t pass our data protection law in the UK until 1998, three years later,” he says.

Vitale also stresses that the more lenient nature inherent in the previous directive led to differences in interpretation of what constituted certain types of data. This prevented the 1995-based wave of domestic regulations from offering the same protections and standards across European borders.

“For example in Italy, data about companies is personal data, whereas everywhere else in Europe it is personal data about individuals only. So there are some quite big differences,” he says.

Vitale says the GDPR went through many years of consultations and drafts before being set for a May 2018 implementation in 2016.

“It started off five years ago with early drafts being passed between the Council of Europe and the member states, and the [European] Commission. And then, four years of drafts developed until it came into force in 2016, but with a two-year implementation period. So it has already been in statute books since May last year,” he says.

The major difference between the GDPR and previous regulation lies in who holds liability if data breaches occur. The new regulations place responsibility on data processors, as well as data collectors, to ensure that their practices are in line, and data is collected with consent.

“The key of the GDPR is fair, lawful, and transparent processing. It is all about telling people what you are going to do with their data, and doing nothing else with that [data],” Bram Wallach, product manager at Sofico, tells Leasing Life.

Industry body Leaseurope held a policy lunch in Brussels in May, with a variety of European data and automotive advocacy groups. In the session, Leaseurope and the coalition of groups called for a common telematics policy across Europe, to allow what it termed “useful” data to be shared.

The group claimed that telematics data was only shared with manufacturers, which limited the quality of data in the industry and available for fleets. It called for EU regulation to allow this information to enrich the common data pool.

Asked if the GDPR would help or hinder this ambition, Wallach says manufacturers are currently able to claim ‘data protection’ as a reason for failing to make connected car data more freely available across Europe in the industry.

While he believes there will be a push towards more open data sharing between companies and across the continent, the GDPR will create stricter requirements for what is considered personal data, “even a combination of data that would indirectly allow for identifying an individual. Even location could be an indirect disclosure of personal data.”

Dealing with it

The effect of the GDPR is likely to be severe. Accountancy practice RSM has urged clients to prepare for the upcoming regulations, warning that their financial health and reputation could be at stake. Steve Snaith, head of technology risk assurance, and partner at RSM, tells Leasing Life that the first step is for companies to know where information is stored.

“They have got to make sure that they know information they have, where it is held, and where it is coming from. And if you are transferring data out, where it is going to,” he says. “After that they can do some checks, [seeing] if they have got the right controls to protect that information, and being compliant of the future GDPR requirements.”

Focusing on online operators, Snaith raises the issue of allowing would-be customers an option to opt-in to sharing data, in contrast to many current models which prompt people to tick a box to opt-out of their information being shared to third parties.

“There has got to be an opt-in for a potential customer to confirm if they are happy for their data to captured and stored. You need a control framework to ensure that the controls are there to protect that information, and they have got a good process to capture consent,” Snaith says.

He adds that companies must rethink their approaches to data retention. Snaith mentions third-party data processors, to which the GDPR has extended liability.
“How long are they keeping information for? There are three guidelines in terms of how long data should be kept, and there is more of an onus in terms of responsibility for data protection,” Snaith explains.

“What information do they have? How long have they had it? Have they got consent to hold it? Is it adequately secured? If they are dealing with third parties, are there contractual data confidentiality agreements?” Snaith adds.

Fleet data

The GDPR’s implementation will have an impact on the way vehicle fleets use data. Wallach says Sofico has designed a two-step process to help clients comply with the upcoming regulations. “First you remove data from operational use, and leave them in an access-restricted archive. The second step – and that could be after 10 years, for instance – is removing it from that particular archive,” he says.

Wallach says data in the access-restricted archive would remain available for legal or audit reasons, if the data is needed to identify an individual or their record. Once the second step is implemented, and the data is removed from the archive, the process is irreversible.

“There is no way to identify the individual anymore,” he says, adding that there is a conflict between data privacy and the need to keep data for legal reasons. “That is just our take on data retention, because we know there is a conflict between privacy on one hand, and legal retention periods on the other. I happen to know that most companies take it the legal way, and just make an argument for the longest retention periods as legally needed,” he says.

He suggests that fleet operators may have to retain some individual driver information for contractual reasons. “As soon as the contract has ended, and all financial settlements have been made, then you could argue there is no reason anymore to still know who that driver was,” he says.

This reveals an issue with the GDPR that many of those interviewed identified. The regulations, despite having added more specific terms, widened liability, and even provided examples, remain vague in many areas. The notion of what constitutes excessive data collection, and when data is no longer needed, remain significant grey areas.

“The European Commission, and more broadly the GDPR, does not actually specify a lot of things in detail,” Wallach says. “They stick to the principles – the principle here being data minimisation and data retention, saying you’re not supposed to hold onto data that you no longer use or no longer need.”

Wallach states that the GDPR puts the onus on businesses to prove that they still require the data, rather than placing a set limit on the number of years for which data can be kept. “As a business you have to make an argument as to why you need the data. And if you can not make that argument anymore then they’re supposedly obsolete or redundant data,” he says.

At what cost?

When the GDPR comes into force in 2018, the regulations will have a profound impact on the way the automotive industry operates. Operators of fleets will be forced to anonymise individual data, in a move which could hinder the development of more tailored solutions for drivers and customers.

Potential sources of data that this may include may prove to be much wider than at present, which may cause operational issues for fleet lessors.

“A license plate is also to be considered personal data. A fleet might not think that is really personal data. The GDPR’s summary says when there is a reasonable chance that somebody could use that piece of data to identify an individual, then it is considered personal data,” Wallach says. “That reasonable opportunity might well be a friend working with the police for instance, who has got access to that type of database.”
For companies such as Sofico that operate fleet software, contractual agreements between all who handle the data must be devised. “That means that data controllers, so our customers in this case, the fleet operators, fleet companies and leasing companies, need clear contractual relationships with all of their data processors, including hosting companies,” Wallach says.

For many companies, it is not inconceivable that the increase of legal hurdles may impact on prices for the end user. “It’s certainly not going to reduce costs,” Wallach says. Though he adds that while the contractual nature of the fleet industry may prevent costs from rising, online companies in other areas may see increased hurdles.
“Free services on the internet will probably suffer the most, because where they were able in the past to compensate for the cost by using all kinds of advertising and profiling, that is going to be a lot more difficult in the future,” he says.
Speed of service is one factor which may subsequently reduce, as possessing demonstrable GDPR compliance is required.

“It is going to add some time to that. The GDPR has inverted the reasoning; all of a sudden, the controller and the processor are now supposed to demonstrate compliance, under the accountability principle of GDPR Article 5,” Wallach says.
“When they come knocking at the door and you cannot demonstrate your compliance, you are likely to get fined.”