THE NEW General Data Protection Regulation (GDPR) rules go live on May 25 and private hire firms are being warned that IT systems must be ready or face a possible fine of 20 million euros or four per cent of turnover.
The GDPR (Regulation EU 2016/679), which was adopted in April 2016, becomes enforceable on 25 May 2018 and aims to: “Give back control to citizens and residents over their personal data and to simplify the regulatory environment”. It replaces the current 1995 Data Protection Directive.
WHAT ARE THE NEW RULES? – Personal data collected by minicab firms may not be processed unless there is at least one lawful basis to do so. These include:
- The data subject has given consent to the processing of personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the con-troller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child
WHAT ABOUT FARE DODGERS AND CRIMINALS WHO DEMAND THAT MINICAB FIRMS ERASE THEIR DATA? – Doubts have been raised that private hire companies might not be able to legally pass on the information of ‘bilkers’ and those that damage vehicles or attack drivers but the Information Commissioner has confirmed that firms should still be protected by crime prevention exemptions within the GDPR.
Article 23 of the GDPR enables: “Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only where the restriction respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard (including)”:
- The prevention, investigation, detection or prosecution of criminal offences
- Monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime / ethics prevention
TFL ADD EXTRA LAYER OF COMPLIANCE – The above exemption protection is good news as TfL now wants licensed cab firms to hand over journey and passenger data processed while taking bookings and despatching vehicles. And is asking all licensed private hire companies to nominate a member of senior management to be accountable for the safety and protection of passenger and driver data and to set out: “Clear policies and action for the prevention and reporting of offences.”
The licensing authority also wants data related to criminal activity reported in a, “timely fashion” to both TfL and the police.
A spokesman for TfL said: “Operators should share data with TfL so that travel patterns in London and the overall impact of the services can be understood.”
But, there are implications, with regards to the GDPR, if private hire firms allow customers’ personal data to be illegally accessed by others while trying to be compliant with the need to hand over journey information to TfL.
Fareed Baloch of zoom.taxi said:
If you collect data on your customers, you will need to inform them what you are receiving, why you are keeping it, what you are going to do with it and whom you will share it.
For private hire firms, this could include travel information, regular pick-up and collection points, as well as contact information. A breach of a single piece of this data could result in a significant fine, which small companies would find hard to afford.
“Customers can also demand to have all their information erased. Erasing data not only applies to the company contacted directly, but also to any third parties you have shared your data with. So, if it has left your particular company, you need to be able to access and delete this data or update the new data you have shipped elsewhere.
“All companies holding data need to provide the download of data as a minimum and many people will, like cookies, simply opt in. It will however, make it more expensive for businesses that collect and hold data.
“Can you stop people getting data they shouldn’t out of the organisation? And can you allow people to do their jobs and share the data they need in a way that lets you prove the sharing of data is above board and that no malicious or erroneous sharing is taking place. If you can answer yes to both then you have a reasonable shot at compliance.”