We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

GDPR - Data, Telematics, and Logistics Operators

Posted by Anthony Monaghan 01 September 2017

Today’s vehicles already have a surprising level of connectivity compared to just a decade ago, with drivers utilising sat-navs and apps like Google Maps to plan journeys. Experts predict that, by 2020, 80% of all new vehicle models in mature markets will have data connectivity, with technology present throughout the vehicle as part of in-vehicle systems, commercial management systems, and in-vehicle systems connecting vehicles to infrastructure.

The increasing exchange of ‘information’ is creating a rise in the demand for in-vehicle data from a variety of sources. With the new General Data Protection Regulation (GDPR) due to become directly applicable in EU Member States on 25 May 2018, companies must now be meticulous when it comes to data management. The GDPR aims to update the existing data protection framework across EU member states to reflect today’s evolving digital environment, streamline existing laws, and give EU citizens a consistent level of privacy.

The GDPR makes it clear that information is treated as personal data whenever individuals can be identified, directly or indirectly. Location data is provided as an example of an identifier. With the definition of personal data changing, much of the telematics data that transport companies hold may fall within scope of the new regulation and the relationship between the fleet operator and its drivers will therefore become even more important. This will likely place a significant burden on many fleet operators, and some may even need to overhaul their data management processes completely.

One key area of change is likely to be driver consent for use of their personal data. Under the GDPR where an organisation relies on consent as the legal basis for using an individual’s personal data, that consent must be freely given, specific, informed, and an unambiguous indication of the individual’s wishes, meaning that consent has to be a positive opt-in – it cannot be inferred from silence, pre-ticked boxes, or inactivity . More stringent fines apply for anyone who falls foul of these rules; therefore non-compliance is not an option.


  • Make sure people in all areas of the business are aware of the new law, and promote a shared responsibility. 
  • Responsibility lies with everyone who handles and processes data thoughout the supply chain, not just data controllers . 
  • Take time to map and document what personal data you hold relating to your drivers, including telematics data. 
  • Think carefully about what data you hold, how you will use it, and what security procedures you have in place to secure the data, including any data that is collected and shared by manufacturers. 
  • Document how you intend the data to be used and who you will share the data with, ensuring that these messages are fully communicated to your drivers. 
  • Check and amend your current procedures to ensure they cover all the rights individuals have under the new rules. Also, ensure that you have an audit trail around the notices and consent that you might be asking for. 
  • Be prepared for drivers requesting to see their data and have systems in place to facilitate this. 
  • Designate someone in your company to take responsibility for data protection compliance.

The new requirements may oblige your company to make changes, which take time and require investment. Proactive organisations can use this as an opportunity to not only protect their business, but to grow it as well.

Anthony Monaghan