There is a lot of interest in the new General Data Protection Regulations coming into force on May 25th 2018. GDPR will replace the Data Protection Act 1998, which addresses how you manage personal data. It seeks to give more control to individuals, with fines issued to firms that do not comply.
As a taxi firm operator, these regulations will determine your obligations when storing and processing your customers’ data.
GDPR defines the roles of data ‘controllers’ and ‘processors’. A controller states how data will be used, whilst a processor carries out the actual processing. You will likely assume both roles to some extent.
As a controller, you must ensure the data you have collected has been done so with consent, to be used lawfully for a specific purpose. For example, when clients book your services, you will not be allowed to store their phone numbers or email addresses for purposes other than facilitating the service, unless their explicit consent has otherwise been obtained.
Consent must be explicit, and you must record how and when consent was granted. Consent can also be rescinded at any time.
As an example, a customer may call you to book a taxi. You may store their phone number so that the service can be executed, but unless you’ve gained consent to do so, you cannot then follow-up to market your services. GDPR stipulates that data should only be stored for as long as required, so arguably you may only be able to store your customer’s contact details for the duration of their journey.
Processes therefore need to be put in place. If you are using software to manage your customer database you need to ensure that the data you store is necessary for the provision of your services. This may include asking your customers if you can store their details for future reference, such as pick-up and drop-off points. If you already send marketing communications to your customers and do not have proof of consent, you must gain consent for future contact. Having a well-defined set of terms and conditions will help this process.
Ultimately, there is a lot of common sense involved in GDPR compliance and the regulations will evolve through case law. However, if you follow best practices, gain consent and monitor your data usage, you’re pretty much there. However, if you are in any doubt, it is highly recommended that you seek professional advice to ensure that you are not in breach of GDPR since you may otherwise be liable to significant fines and prosecution.