GDPR in Conjunction with Driving Schools

Personal data, or personally identifiable information (PII), must always be handled responsibly and in accordance with the law. There was a recent change to data protection laws, introduced on 25th May 2018, known as the General Data Protection Regulation (GDPR). This latest regulation covers all European countries – until Brexit officially passes, the UK must follow them along with the rest of the EU.

Driving schools handle PII belonging to pupils all the time, so it is especially crucial that our industry adapts to accommodate the changes that were implemented. The Information Commissioner’s Office (ICO) will inflict serious repercussions on businesses that fail to follow GDPR: fines of 2% of the business’ global turnover (or £8.8 million) for minor breaches or fines of 4% of the business’ global turnover (or £17 million) for more significant breaches – whichever amount is greater.

Background of GDPR

● GDPR was introduced as a replacement of the Data Protection Act (DPA) of 1998, which has understandably become outdated and was long overdue a revision.
● GDPR takes into account the advances of modern technology, including availability and access of information on the Internet and social media which did not exist in 1998.
● The EU states that with GDPR, they aim to “harmonize” data protection laws all across Europe.
● Part of GDPR’s aim is to grant more rights to individuals in regards to their personal data.
● With all this considered, GDPR has had an impact on the majority of businesses across the UK, including driving instructors and their schools.

How Will GDPR Impact Me?

If your driving school gains any type of passive consent from data subjects – like having pre-ticked checkboxes for newsletter subscriptions or opt-out schemes – then this must be amended or taken down immediately. True to its core purpose of granting more rights to individuals, GDPR will not consider passive consent as true consent. This is because GDPR actually changes the definition of consent: now it must be an “affirmative, active action” that is taken by the user.

If you do still have means of collecting information after only obtaining passive consent, your driving school could be at risk of a GDPR violation. It is vital that you update this or stop collecting this information.

Another way in which driving schools will need to adapt to meet the requirements of GDPR is by having certain information available online, such as on your website, to all data subjects. This information should be laid out in the following documents: a complete privacy policy, a detailed explanation of why you are collecting personal data, an explanation of what you intend to do with this personal data, how and for how long the data will be kept, how the data will be erased, the rights of the data subject to the rectification, access and erasure of the data, the rights of the data subject to restrict processing of the data, and your business’ contact details.

These are the basic, fundamental changes that GDPR facilitates, but if you are unsure about any part of it, it is best to seek legal advice from a qualified professional.

The theory test