GDPR: how will the new data protection law affect the transport sector?
As Europe’s General Data Protection Regulations comes into force, organisations across all industries have questions about what exactly it means for them. Here, Richard Thomas, employment lawyer at Capital Law and GDPR expert, looks at what businesses in the transport industry will need to consider.
GDPR replaces existing European laws on data protection – making it the most significant change in data protection law in 20 years. It will mean that all organisations have to change the way they capture, use and share personal data – both internally and externally – no matter their size or structure.
So, from nationwide rail or bus operators to travel agents or transport-focused tech start-ups to engine manufacturing giants, all types of businesses across the transport industry will be affected.
How does the transport industry use personal data?
Transport is only getting smarter and that is dependent on making the most of personal data. Airlines, connected car manufacturers, transport authorities, apps focusing on smart ticketing and gig-economy giants like Uber and Lyft all contribute to the development of intelligent transport systems. This development centres on collecting, sharing and exploiting personal data – which will fall under GDPR.
This includes information like a passenger’s name, contact information and address, as well as ‘smarter’ information – like travel patterns and times, recent journeys and fares.
Smart transport initiatives make the most of personal data to:
- Use tracking technology to improve urban planning and operations by analysing patterns of smart tickets or connected/autonomous vehicles
- Share data to develop agile service networks
- Increase the efficiency of passenger flows – from public transport platforms like airports or stations to more sophisticated methods like automated traffic light systems
- Generate revenue by passing data on to third parties, like retailers, operators, suppliers and advertisers.
And, it works both ways. While transport companies can use personal data to monitor and tailor what they offer to each individual, customers can also personalise their own travel options – through online booking, downloading apps and ‘favouriting’ destinations or journeys.
How GDPR affects the use of personal data
Traditionally, organisations have relied on consent to process personal data. This has historically been obtained through a variety of (sometimes discrete) means – like terms and conditions or the option of an opt-out or pre-ticked consent box.
GDPR introduces a much higher bar for valid consent – it can no longer be wrapped up in terms, it must be a positive opt-in and the individual must know exactly what they are consenting to.
Firstly, businesses need to understand what personal data your they’re processing, why it’s being processed and what legal basis (under GDPR) applies. It is also important that they are clear on where the information is obtained from (direct from the individual or from a third party) and who it might be shared with.
Organisations will need to have privacy notices (also referred to as fair processing notices) explaining to passengers, customers and third parties what they do with their personal data. GDPR requires more information to be disclosed in your privacy notices – if you already have privacy notices check they are in line with new requirements.
Areas that companies might want to think about are:
- The use of vehicle tracking/autonomous and connected vehicles
- How they collect and use smart ticketing data
- The way they store customer data – from geo-location data or mobility patterns to vehicle tracking
- How they go about obtaining consent for data processing
- Contractual solutions and supplier agreements
- How they can show customers that they’re putting the protection of their data at the heart of what they do
- What other policies, procedures and governance structures – as well as training – they need to put in place to keep you compliant.
What happens if businesses don’t comply?
If businesses don’t comply with GDPR, they’ll be open to enforcement action – which could damage reputations as well as bank balances across Europe. The maximum penalty that could be as much as £17 million or four per cent of a company’s global turnover – whichever is higher.
If GDPR is breached – whether intentionally or accidentally – in certain circumstances it must be reported to the Information Commissioner’s Office (ICO) and potentially to the individuals whose data has been breached. If not, businesses are opening temselves up to two fines: one for not reporting the breach, the other for the breach itself.
Transparency is key and this is where privacy notices will be important – if an individual suspects that their rights are being breached, they can complain to the ICO, who will take any complaints seriously.
If passengers trust the company they’re travelling with to handle their data appropriately, they will be more willing to provide it – which means that the company will benefit in the long term.
Can businesses get any help or advice?
There are several handy tools that can help businesses get GDPR complicance right.
Firstly, the ICO has developed an entire section on understanding GDPR – with a dedicated advice line1, as well as a ‘12 steps to take now’2 document – to help prepare companies with targeted information, along with more detailed GDPR guidance3.
The ICO has also developed a ‘lawful basis’3 tool to give businesses tailored guidance on which legal basis is likely to be most appropriate for the data processing that they undertake.
Using tools like this can really help businesses of all shapes and sizes to work out what legal basis they can rely on for their processing activities.
For our transport networks to be effective, compliant data analysis – looking at how people use our roads, railways and skies – has never been more important. The entire industry needs to understand the principles of GDPR and how it affects its day to day business and development.