GDPR and the DVLA changes – a look at what fleets need to do to ensure full compliance

The past week has been a landmark in the changes to how employee licence checks are carried out in the fleet industry. With GDPR fast approaching the DVLA have now announced that the driving licence consent form (formerly known as the D796) has to be changed to fall in line with the new data protection legislation.

As of 25/05/2018 the DVLA consent form for checking licences will be changed and this has given rise to a lot of questions and speculation around the changes. As licence checks form an integral part of what fleet managers need to do to ensure they cover their duty-of-care we look at what these changes are and how the GDPR will affect things.

What does this mean?

This means that any companies using a ‘paper’ consent process will have to update their processes due to the new GDPR legislation. This also means any driver that has previously signed a ‘consent form’ will also have to re-sign the new fair processing declaration.
Fortunately, Driving Monitor have developed a NEW eDeclaration system making the new process GDPR compliant and can be done in under 60 seconds from any mobile device.

Main observations

Driving Monitor have polled its customers to find out which key questions are being raised the most, and have found the following top 5 questions:

1. Will I be able to check my employees’ licences using the existing consent forms we have signed as they were supposed to last 3 years?
2. Does the new data processing declaration last for an extra 3 years or will it just continue from the old one from however long that had to run?
3. Does the DVLA service provide alerts or notifications as to points offences on licences?
4. Do I need to consider any other data protection issues for checking employee licences or is everything else unaffected?
5. Are my Grey Fleet drivers (my employees who use their own car) also affected?

In response to these questions Driving Monitor have developed a free webinar to give UK fleet managers the inside track on what to look out for when using the new digital services in line with GDPR. This free webinar covers:

– What affects the GDPR has on drivers and the data you hold 
– How to be GDPR compliant with driver data 
– The recent DVLA changes to consent and the impacts on fleets checking driving licences 
– How Grey Fleet drivers need to be managed under GDPR 
– How to ensure your company is fully compliant with the new legislation

The road ahead

Now that GDPR is finally upon us, anyone who manages employees who drive on company business (be that cars, vans, minibuses, HGV’s etc) will need to ensure they are fully compliant with the new processes to avoid heavy penalties from the fines that could be imposed by the Information Commissioner (ICO).

Kevin Curtis, Managing Director of Driving Monitor commented, “It’s good news that the DVLA have looked into this and updated the consent forms that drivers would need to sign. In practice the old approach of the driver consent form was a ‘belt-n-braces’ approach – now with GDPR it’s much clearer how we need to be handling data processing for driving licence checks. So under the new regime from 25th May 2018 drivers will sign a NEW data processing declaration and the idea of ‘consent’ is removed.

At Driving Monitor we work to very high standards of data security, and are governed by the code of conduct within the ADLV and have to be ISO27001 accredited as a minimum. It would be helpful if government departments such as the DVLA were also at the same standard of ISO27001 to ensure the highest levels of security at the data source.

Kevin also went on to say, “If an employee thinks their licence data has been viewed without their consent they should ask their employer how this has been implemented. The employer would need to show evidence of a clear process where the driver has agreed and signed off the data processing, with a date and time of the declaration. Employers need to be careful if they are considering using the VDL service from the DVLA without obtaining an auditable consent given by the employee. Worse still if a disgruntled employee leaves a business and knows their licence was checked without their consent, they could cause serious problems for that employer.

Most organisations are aware of data security and even the thought of an investigation by the Information Commissioner for a breach of the Data Protection Act is enough to halt these actions. A ‘blot on their copybook’ can be a serious hindrance when it comes to tendering for contracts and they would want a clean record, and now with the new GDPR fines that come into place – the impacts could be huge.

One final area of concern is printing the results of a licence check or web page showing the results (such as the PDF document that can be printed from the DVLA system). Most people know you can simply view a PDF with a few clicks, so employers need to make sure they don’t use these printouts as the actual evidence or store these on laptops or desktop PC’s that don’t have the correct system securities – as these actions would breach GDPR. Only by using secure platforms can you be guaranteed of full compliance with the GDPR.

Kevin Curtis went on to say, “Companies such as Driving Monitor offer a completely managed service, from collection of the new version of consent to full web dashboards and automated reports on licence status, points, categories and entitlements.

We find that when a company has more than a handful of drivers the need for an auditable report to cover their Duty of Care comes into play. Fleet managers are far more savvy these days and understand the importance of combining their licence checks with other safety checks such as risk assessments and telematics data. They are demanding integrated services to take the burden away from their admin teams and this is where companies such as Driving Monitor add real value.”

 

[Source: Kevin Curtis, Driving Monitor]