GDPR: GEARING UP FOR CHANGE?
THE General Data Protection Regulation (GDPR), which gets its first airing in Parliament this September, will signal a step-change in the way the transport and logistics sector looks after data and information, says Dave Jeffries, MIS manager at training provider, System Group.
GDPR will be a new data protection regulation set to strengthen and unify the safety and security of the information held by all sections of the transport and logistics industry, replacing the Data Protection Act of 1998 which gives individuals control over what information is held on them by organisations.
It is essential operators start planning their approach to GDPR compliance sooner rather than later, and that those involved are not only made aware of but also understand the changes and embrace them fully: failure to comply could see eye-watering fines of up to €20 million (or 4% of turnover – whichever is greater) for both the data controller and anyone else involved in the chain.
Contract arrangements are set to change. Under the GDPR it will be illegal not to have a formal contract or Service Level Agreement (SLA) in place with some of your suppliers. Moreover, if you’re already complying with the DPA it doesn’t necessarily follow that you will be automatically compliant under the new GDPR law.
While a number of the GDPR’s foremost principles are similar, there will inevitably be some new elements and significant enhancements, driving the need for some things to be done differently. Fleet owners and managers will have to gear-up for regulations, which specifically focus on technology and the digitisation of data. So in addition to the large volumes of data already stored, accessed and processed from drivers’ licence statuses and convictions to health information and addresses, those responsible for overseeing data management will need to ensure that they interact properly and appropriately with their workforce.
What can be done now to ensure better preparation? Look at the information you currently hold and organise an information audit, documenting the personal staff and student data that’s held on file, where it came from and who accesses it. Review current privacy guidelines and draw-up plans to accommodate any necessary changes, while checking that current procedures cover all the rights of individuals, including how you would delete personal data or access and provide data electronically.
Make sure you have the correct procedures in place to detect, report and investigate a personal data breach and assign a data protection officer who can begin working out when to start implementing things such as Privacy Impact Assessments. E-safety is also of critical importance; so if you have a policy, review it to ensure it will remain fit-for-purpose.
If you don’t, having a clearly defined policy in place will be vital in ensuring that all key stakeholders know what needs to be done to remain compliant when the GDPR arrives and starts to take effect from 25 May 2018.
From the training supplier/client perspective, it will be imperative to have some degree of SLA in place. This should be linked to what you want from your service provider that can directly contribute to GDPR - and never be afraid to challenge your supplier over agreements surrounding their commitments to quality assurance and other matters such as improvement planning and self-assessment. Challenge them about what QA tools they use, or plan to use, to monitor, control and evaluate these critical areas, which are part of an Ofsted inspection.
It’s important the training provider works with you to plan for change, as well as growth, because it’s easy to forget that demands for additional training or a sudden recruitment drive, places increased demand on resources and capabilities. An adroit training provider, equipped with the expertise and supported by the requisite quality assurance systems and procedures, will be able to help predict how your needs will change in line with your strategy and advise accordingly.
Training providers have to be committed to making sure that their customers enjoy the highest level of protection and that trust is maintained at all times. This is essential if those undergoing training, or apprenticeships completing their studies in the classroom/workplace environment, are to realise their potential and go on to play their role as part of a highly skilled, adept and capable industry workforce.
There’s little doubt that GDPR is set to have an impact but how much remains to be seen. One thing is for sure though, the transport and logistics sector needs to start thinking urgently about how it will impact on them, review current practices and procedures and, if necessary, work with a Register of Apprenticeship Training Providers (RoATP) approved partner who will help them understand how to adapt to an evolving landscape so that when the regulation arrives next May, they’re fully ready and prepared for it. More about GDPR at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Dave Jeffries is MIS manager at System Group, which works with logistics and transport companies, military and government departments, local authorities, national corporations and small businesses as well as individuals and the self-employed. The company also offers a wide range of qualifications from management and leadership through driver licence acquisition through to outsourced learning and development Levy management solutions.