GDPR in Conjunction with Driving Schools
GDPR, which stands for General Data Protection Regulation, is the acronym on everyone’s lips recently. You have probably already seen a lot about it, whether it be through bombards of emails asking “do you still wish to receive information from us?” or through it being discussed on the news. As driving instructors, this begs the question, “how will GDPR affect my the driving school industry?”.
GDPR was officially introduced on the 25th May 2018. It came about as a modern revision of the old 1998 Data Protection Act (DPA), which was written a long time ago and the technological world was very different back then, and has progressed rapidly in a short amount of time. A revisit to these data protection laws was long overdue, and that is part of the reason behind them. In addition to this, the EU stated that they felt the need to “harmonize” the rules about data protection across all European countries. So until the UK actually leaves the EU, these laws apply to our country and all the businesses in it. Finally, GDPR was implemented with the intention of increasing the rights granted to individuals about how their personal data, or personally identifiable information (PII), is: handled, collected and stored.
Driving instructors and schools will collect, record, handle and store a wide range of PII about their pupils. Some examples would be their pupils’ full name, address, telephone number, driving licence information, and more. GDPR is very much relevant to our business operations, so it is paramount that the legislation is not breached.
What happens if you don’t follow GDPR? The Information Commissioner’s Office (ICO) can give you a huge fine of up to £8.8 million (or two per cent of your firm’s global turnover) if you commit a small offence, and for a more serious offence this goes all the way up to a fine of £17 million (or four per cent of your firm’s global turnover).
How To Make Sure Your Driving School is Compliant
There are some things you can check to ensure your driving school follows GDPR. If you aren’t already doing these things, you need to update your website and means of collecting data:
● Only collect, record or use data from a data subject who has given active, affirmative consent by a clear action. Passive consent (automatically ticked checkboxes or opt-out newsletters) is no longer sufficient.
● Have a clear and comprehensive privacy policy document available on your website.
● Have a document which explains why you need to collect personal data and what you will use it for.
● Have a document that explains how the data will be stored, for how long it will be stored and how it will be erased.
● Outline the data subject’s rights to rectification, erasure and access to their data, and rights to restrict the processing of their data, in a document.
● Have a document with complete contact details for your business.
This is merely a brief overview of the GDPR legislation, and is not intended as a complete legal guide. If in doubt, speak to a legal advisor.