In under a year’s time, on 25 May 2018, the EU’s General Data Protection Regulation (“GDPR”) will come into effect across the EU, including the UK – regardless of Brexit. The GDPR will have a significant impact on those who collect, use and otherwise process “personal data.”
How is personal data used in the transport sector?
Broadly, “personal data” means any information which relates to an identified or identifiable individual, principally a passenger in this context. It will include, for example, the passenger’s name and contact details; it will also (sometimes) include information about travel patterns, vehicle usage, the dates and times passengers enter or exit a transport network, and fares or toll information. Whether or not those types of information constitute “personal data” in a particular context (so as to be caught by the GDPR) is often the first (and sometimes the most difficult) question; usually, it will depend on how that information is going to be used.
The changes brought in by the GDPR will affect businesses and organisations across the transport sector, from train or bus operators, airlines, passenger transport authorities, manufacturers of connected and autonomous vehicles, in-vehicle or on-board platform developers, to smart ticketing and other suppliers across the intelligent mobility supply chain.
Understanding and exploiting transport data sits at the heart of recent developments in intelligent mobility. As such, businesses are potentially collecting and sharing more personal data, and for a wider variety of purposes, than ever before. For example, personal data may be used for:
- increasing the efficiency of passenger flows within stations or airports via smart ticketing data and mobile phone analytics;
- improving urban planning and operations, through tracking of smart tickets or connected and autonomous vehicles;
- sharing data between agencies and operators to create Mobility as a Service networks;
- enabling in-vehicle platforms and sharing / rental business models such as pay-as-you-drive insurance; and
- generating revenue from data, by providing it to third parties such as station or airport retailers, advertisers, mobile network operators or automotive service and parts suppliers.
It is essential that transport businesses and organisations understand and comply with the GDPR, not least because there will be increased penalties for non-compliance, including (in the worst cases) fines of up to €20 million or 4% of worldwide turnover.
Complying with the GDPR can also deliver significant business benefits. Passengers will be more willing to provide their data, and for different uses, if they trust organisations to handle it fairly, securely and responsibly.
Key areas of impact for the transport sector
Clients are already talking to us about impacts in the following areas:
- use of smart ticketing data e.g. on fares / tolls or on Mobility as a Service projects;
- use of vehicle tracking and/or road charging data;
- methods for achieving user consent for data processing in various transport modes e.g for in-vehicle or on-board platforms (to the extent that consent may be required);
- vehicle sharing / service models – addressing issues of different drivers and passengers using a vehicle;
- legally compliant methods for storing geo-location data or mobility patterns;
- ensuring data security within intelligent transport systems; and
- contractual solutions for complex intelligent mobility supply chains where multiple or joint controllers and processors of personal data are present.
For example, we were commissioned to provide a report for the FIA, which looks at whether car data from connected and autonomous vehicles constitutes ‘personal data’ and whether product liability legislation allows Original Equipment Manufacturers to exclusively collect and process such data.
The impact areas highlighted above are just some of the considerations for transport businesses and organisations. This guide and our checklist of key questions are designed to monitor your progress towards GDPR compliance.
With less than 12 months to go, transport businesses and organisations must:
- give careful consideration to what personal data they collect and how they use, share and otherwise process it;
- review their existing supplier and other agreements to ensure that they meet the more onerous requirements of the GDPR, and properly allocate risk between the parties;
- ensure that they implement the principle of privacy (or data protection) by design, which means that data protection should not be an afterthought or an issue casually considered at the end of a project or procurement of a new system; it must be central to the way that organisations plan and operate; and
- put in place those other policies, procedures and governance structures which will be needed – together with relevant training – to ensure on-going compliance.
If you would like to discuss the GDPR, or any of the issues raised by it, please contact one of our experts whose details are below, or your usual Osborne Clarke contact.