GDPR in Conjunction with Driving Schools

General Data Protection Regulation (GDPR) took European businesses by storm when it became official on 25th May 2018. While most people will have already made any changes needed to their businesses in order to comply with the latest GDPR laws, it is really important that all types of businesses are aware of them. That includes driving schools since, in our industry, the handling of personal data is part of the job. Until Brexit is fulfilled, these EU laws apply to us as much as any other country.

GDPR in a Nutshell

It’s good to know the context surrounding GDPR, as this will help improve your understanding of its policies and purpose. This set of laws and regulations was implemented as a revision of the old Data Protection Act (DPA) of 1998. So why was GDPR necessary? What changes were introduced to data protection laws?

Why?

The DPA was long out of date – 1998 was a completely different world in terms of technology and availability of information. Today, it is much easier to collect, store and access personal data, and due to this, a new set of laws that accounts for the progressions that have been made over the last 20 years was long overdue. There was no social media back in 1998, as one example.

What?

Expanding on the last point, the latest laws bring data protection regulations up-to-date with modern society. Additionally, GDPR aims to give individuals (data subjects) even more rights when it comes to how their data is handled and collected. In the official EU GDPR statement, the goal of “harmonizing” data protection laws across Europe is cited.
How Will This Affect Driving Schools?

As mentioned earlier in this article, driving schools are one of the many industries in the UK that collect and record personal data about clients. GDPR changes the ways that we are allowed to do this – it is essential that you familiarise yourself with it and ensure all your operations abide by its rules.

Consent – GDPR highlights the need for active, affirmative consent through a clear action on behalf of the data subject. Under DPA, passive consent (e.g. pre-ticked checkboxes or opt-out schemes) was perfectly acceptable. Now, this will not suffice, and you need to update the way in which you gain consent to collect personal data.

Transparency – GDPR also means you need to have documents available which detail the following things: an explanation of why you need to collect personal data, how you will collect personal data, how personal data will be stored and erased, what you intend to do with the data, a full privacy policy, contact details, and an outline of the data subject’s rights to: rectification, erasure, access and the restriction of their data being processed.

The consequences of failing this are not to be taken lightly – the Information Commissioner’s Office (ICO) deals out serious fines to offenders who breach GDPR. These are much more severe than they were under DPA – fines of up to £8.8 million or £17 million depending on the offence.

The theory test