Users of Jaama’s Key2 vehicle and driver management system have been urged to undertake a data mapping exercise ahead of the introduction of the General Data Protection Regulation (GDPR).

Jaama has called GDPR, which comes into effect on May 25, “the most important change in data privacy regulations in 20 years”.

Under GDPR, employers must ensure that employees’ personal data - as well as that relating to clients and prospects - is processed lawfully, transparently, is secure, and is only held for a “legitimate business interest”.

That, for example, could include recording driver licence-related information, the capture and processing of mileage for travel management and business expense claims, accident-related information, fuel data capture and the use of driver behaviour data from in-vehicle telematics.

Martin Evans, managing director of Jaama, said: “Key2 users must reacquaint themselves with the role that data plays within their organisation, and how data belonging to individuals flows around both internally and externally. Employers should only collect data that is required for specified, explicit and legitimate purposes.

“They should familiarise themselves with the current data held and processes and establish if any non-essential data is held. It is important to undertake a data mapping exercise to establish where data is.

“Key2 users must be transparent about how they collect data, what they do with it, and how they process it and be clear in their explanation to employees.”

However, under GDPR once data is no longer required it should be deleted. As a result, Key2 users - as part of the latest system enhancement - now have the ability to ‘obfuscate data’ from the system - information is scrambled to prevent unauthorised access.

Evans said: “Drivers have the right to obtain from Key2 users the erasure of any personal data. This can either occur when the storage of personal data is no longer necessary in relation to the purpose for which it was originally collected, or if the subject withdraws consent to store personal data.”

He continued: “Data can be obfuscated in Key2 in several ways including through rule builder and criteria selection. All mandatory fields that contain personal data - any information relating to an individual that can be used to directly or indirectly identify them - can be selected for obfuscation.”

GDPR builds on existing data protection legislation with a particular focus on digitalisation and technology. Core to the 1998 Data Protection Act are eight data protection “principles” and GDPR reforms those and introduces new “principles” of transparency and accountability with the ability to “prove consent” a significant pillar of the new regulations.

Penalties for breaching the core “principles” of GDPR are potentially huge with a maximum fine for companies of €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is the higher. What’s more the reputational damage of businesses misusing or losing data could be significant.