GDPR stands for the General Data Protection Regulation.
As of the 25th May 2018, all businesses are expected to comply with the new GDPR law. As a business, self-employed driving instructor, driving instructor franchisee, this will affect you. You should demonstrate a duty of care to your customers/clients/learners in how you handle and store their data and personal information.
For very large companies this is quite a serious matter. For some smaller businesses it is still serious but the likelihood of being hacked online and having your data stolen for all of your clients is considerably lower. However, there are many instances of failing to comply with the new GPDR law. We will cover those relevant to driving instructors below.
How could the GDPR affect driving instructors?
Everything such as your learners’ personal information should be kept confidential and stored in a safe place. If you take a learner/client’s information by pen and paper, this should not be kept in your car overnight and should be stored in a safe place at your home or office, in a locked filing cabinet. If you store customer/client/learner information by computer, tablet or mobile phone, then your device should have a password on it. Any applications (apps) you use to store information should also be password protected and you shouldn’t leave your device, whether tablet, phone or computer, unattended in your car at night.
Confidential information to consider: client/learner’s full name, address, phone numbers, driving licence/provisional driving licence, email address, payment methods, bank details should be stored.
Other confidential information to consider is what you post on social media about your clients/learners. Whether it be a screen shot of a testimonial, the client/learner cancelling on you at short notice, pass pictures etc. These all count as information about the client/learner and should not be posted to the public domain without their consent. As a company we had one instance in which the learner was taking their driving lessons in Oxford and passed first time with one of our instructors. The pass picture was posted on facebook, however, the the mother complained and wanted the pass picture taken down. Just be mindful and protect yourself as sometimes people change their minds and with nothing in writing it’s hard to prove a verbal agreement.
Discussing or sharing information verbally, by email or by text message. Be mindful when you are sharing a learner/client’s information that they are happy for you to pass on their name/number/email etc. This shouldn’t cause major issues for driving instructors, but you can see why some big companies such as Facebook have come under scrutiny for selling information and data.
What do driving instructors really have to worry about?
The main immediate concern for driving instructors would probably be the following: storing learner/client information safely and securely, reporting any incidents to the police in the event this information was stolen – most likely if on a mobile phone or tablet.
Having a backup of the information is paramount so you can report to anyone that could have been affected that their information is potential accessible. Be careful of what you share on social media regarding learners/clients. If in doubt, get their consent before posting – even by text message is enough to cover yourself.
Here are some more examples:
- Right to access personal information – should your clients/learners request anything such as a copy of their progress or transcript of text messages between them and yourself, you should comply.
- Right to rectification – in the event you recorded something incorrectly or the learner/client has changed their address, this should be amended if requested by learner/client.
- Your learner/client’s rights to restrict you of processing their personal data – If they don’t want their data/information stored in a particular way then you may need to come up with an alternative way which pleases them. In the event this is not possible and the learner/client doesn’t want to share the data you asking for, you may have to mutually agree that the service can’t be provided. For example, if the learner/client refuses to take an eyesight test before their first lesson.
- Right to erasure – should the learner/client ask for their information/data to be deleted, you should comply. A good and fair example of this is dash cam footage of their recorded driving lesson/driving test.
- Make clear the contact details of your business – If you are a franchisee you should provide your office/home address.
What to do if data/information is lost or stolen
If your learner/client’s data/information is lost then you should contact everyone concerned and let them know. Obviously do what you can such as changing passwords to stop any immediate access if possible.
If your learner/client’s data/information is stolen then you should report it to the police and obtain a reference number and then follow the guidelines for lost/stolen below.
Depending on the information lost/stolen, certain learners/clients may try to sue you if they are caused harm and distress. If your phone or tablet is stolen and no learners/clients are affected, then it would be very hard for them to seek compensation.
How could a learner/client sue you for their lost/stolen data?
Here are a few examples:
- You have a card machine and you have kept their card details in your car. Since your car was stolen, the learner/client’s card has been used for unauthorised payments.
- You teach a 2 learners, without thinking any harm can be caused, you pass the address of one of your learners to the other. The learner then stalks and harasses the other, police become involved etc.
- You share a test report form on facebook with your learner/client’s driving licence number visible. This is then used by someone to hire a car through a non reputable car rental company. The learner/client later receives fines, court letters for various incidents causing lots of distress.
Visit the following links for more information on the consequences:
Data breaches and the GDPR
A data breach is any situation where an outside entity gains access to user/learner/client data without the permission of the individual. Data breaches often involve the malicious use of data against users/learners/clients.
If a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”
You can also be fined for non compliance
This is unlikely to affect driving instructors immediately but it is still possible. You should be mindful that fines for non-compliance can be as high as 4 percent of revenue.
Regulators are likely to look more kindly on companies who are trying to be compliant.
The above article is not legal advice. All of the content above is an interpretation of how the GDPR law affects driving schools, driving instructors and franchisees. If you are unsure about the GDPR law then should consult a solicitor for guidance.