As of May 25th 2018, a new governing data protection regulation (GDPR) will come into force across the European Union.
This will require all businesses and organisations that handle personal data to enhance the way they store, manage and use that information. It requires strict accordance from all data controllers and processors. At Teletrac Navman we have a dedicated team committed to ensuring all of our systems, processes and services are designed to enable our customers to achieve GDPR compliance.
Below, we’ve listed some of the most commonly asked GDPR questions we receive from our customers, along with an explanation of what this really means and how our DIRECTOR platform directly supports you maintaining GDPR compliance.
| ||What the GDPR Says||How Director supports you|
|User Role Access||Under the GDPR, businesses have a general obligation to implement technical and organisational measures to demonstrate they have considered and integrated data protection into processing activities||"The ability to view any data in the DIRECTOR platform is strictly limited to registered system users. Each user may be assigned a role which determines their access to data visibiltiy through a flexible range of permissions. Customers with more complex requirements can manage their own team's user access with our full administrator control. This extended functionality allows customers to independently control users roles, reset passwords and disable users."|
|Account Logon||Privacy by design has always been a implicit requirement of data protection|
Passwords used to access the DIRECTOR platform are fully encrpted and not available to view.
In addition to this security, customers may opt into a two factor authentication process for enhanced security.
Contact our Customer Support team to find out more.
We always recommend customers should ensure they maintain robust password protocals and control as detailed in our terms and conditions.
|Driver Deletion||"GDPR addresses the right an individual has to have his/her own personal data 'forgotten.' Data controllers should have a process in place in the event this request is made so that it can be dealt with in a timely manner."|
The DIRECTOR platform offers the functionality to delete a 'Driver' which would include email and telephone number if they are present.
Once deleted, the Driver information is no longer visible to users viewing driver level reports.
Should you need to go further and wish to fully obfuscate the information in the database, we recommend users anonymise the personal information by overwriting the necessary fields by using a series of symbols such as hashtags.
|Business/Private Mileage||Individuals have the right to request the restriction or suppression of their personal data. Again, data controllers should have a process in place in the event of this request.||The DIRECTOR platform allows drivers to toggle between private and business tracking mode. During a period of privacy, the location of the vehicle is unavailable, although the system does continue to collect mileage for vehicle maintenance purposes and driver behaviour data for safety monitoring reasons.|
|Data Retention and International Data Transfers||GDPR stipulates that any personal data should not be held longer than necessary and must be stored in a secure environment and transfers outside the EU have strict requirements.|
All DIRECTOR data is held on encrpyted storage discs in cloud hosted data centres located in the EU. The data retention period is a rolling 36 months.
Functionality within DIRECTOR provides customers with the ability to share automated reports by email to an email address. We recommend customers consider carefully whether this might result in personal data being stored and processed outside of the EU and whether adequate checks and balances control that processing.
The above context may seem a scary thought, but GDPR is not to be feared - it is something to prepare for. It is certainly a step up from the previous legislation, but for responsible businesses it should be a matter of evolving existing processes in order to reach compliance rather than adopting a completely new strategy.
We hope this information was helpful to you and we recommend that everyone in all areas of your business or organisation takes some time to learn more about the new laws. Ensuring every single person is aware of GDPR and its possible implications is the best place to implement a compliant strategy.
To assist us all, the ICO has published a number of guides and checklists which are all freely available on their website. There is also no substitute to seeking independent legal advice specific to your business especially when performing your Privacy Impact Assessments or determining what readiness steps are appropriate for your operations.
Disclaimer: The information herein is for general guidance and is not legal advice. If you need more details on your obligations under GDPR and about what action to take, please contact an adviser or lawyer.