GDPR in Conjunction with Driving Schools
General Data Protection Regulation was officially introduced on the 25th May 2018. The new legislation expands on and updates the old Data Protection Act, which was created in 1998, and was introduced by the EU. GDPR applies to all European countries, and as Britain is currently still part of the EU, we are also obliged to follow it.
Before we go into how GDPR will specifically affect the driving school industry, there are a few things you need to know about the Regulation itself.
What Does GDPR Hope to Achieve?
1. Modernisation of data protection laws, which were created approximately 20 years ago, and society has evolved significantly since then.
2. Acknowledgement and reference to the most modern versions of technology, such as the Internet, and technology that did not exist back then, such as social media.
3. “Harmonization” of data protection laws across Europe, so that they are consistent for all EU countries.
4. Granting of more rights to data subjects as individuals, giving them increased protection when it comes to their own personal data.
Driving Schools and Personal Data
The collection and usage of personal data belonging to our pupils is integral to the operation of our businesses and the delivery of our services. We will be recording and handling personally identifiable information (PII) of our pupils on a daily basis – it is a core part of the job. Anything along the lines of first name and surname, telephone number, driving licence details or home address would be considered PII. The important of complying with GDPR for driving schools cannot be overstated.
GDPR in Conjunction with Driving Schools
There are two main ways that GDPR will have an affect on driving schools: consent and transparency.
1. Consent
GDPR redefines the concept of consent as part of giving more rights to individuals about their data. Under the DPA, passive consent was perfectly fine, but GDPR will no longer see this as enough. Passive consent is any type of consent that is not given as an “active, affirmative action” by the user (and data subject in question). Some popular ways in which passive consent can be gained are by having checkboxes that need to be un-checked on a website, or by having opt-out subscription services. You must ensure you are gaining proper consent from data subjects. If you use a passive consent system, it must be updated or removed immediately.
2. Transparency
Under GDPR, you need to have certain documents available to clients and data subjects. There is explicit information that needs to be included as part of this.
1. You need to explain why you are collecting personal data.
2. You need to explain how you will use this personal data.
3. You need to outline the data subjects rights, as follows: their right to rectification, their right to erasure, their right to access and their right to restrict the processing of their data.
4. You need to have clear contact details for your business.
5. You need to have a complete privacy policy.
Breaking data protection laws is a serious criminal charge, so study GDPR carefully.