Employers have until August 26 to ensure that fleet drivers have signed updated consent forms for routine driver license checks.
Revalidation of documents for data protection purposes is required by the General Data Protection Regulation (GDPR) which came into effect on May 25.
Driver consent forms from the Driver and Vehicle Licensing Agency currently provide consent for third-party employers to engage in license-checking for up to three years. Also known as the D796 driver mandate, the document offers a form of ‘blanket’ consent, permitting multiple checks to be made against the DVLA database.
Falling short of GDPR stipulations, the existing form is to be replaced by the D906 Fair Processing Declaration.
“Consent will no longer be the basis upon which DVLA releases data under GDPR,” said a DVLA spokesman.
“Requests for driving licence data via these services must be supported by a completed and signed D906 Fair Processing Declaration. These forms ensure that drivers understand who is requesting their driving licence data, what the data is, how it is being requested, and for what reason.”
The DVLA states that current consent forms will continue to be valid for three years from May 25, a transitional period in recognition of the “significant task” for employers and fleet managers in adopting the new Fair Processing Declaration.
The new D906 form will remain valid for three years from the date of the driver’s signing, or until the driver stops driving in connection with a company.
Up to two million drivers will be required to sign the new consent form, according to estimates by The Association for Driving Licence Verification (ADLV).
Employers will need to demonstrate evidence of the process by which the driver has agreed and signed off data processing consents, with a date and time of declaration. Non-compliance may result in fines and penalties.
Kevin Curtis, technical director of the ADLV, said: “This is a huge shift for the DVLA and, indeed, the driving licence checking industry as a whole.
“From a technical and compliance perspective, all employers and third parties who are responsible for licence checking will need to be able to demonstrate that the new fair processing declaration has been signed by the driver. This will need to be stored in a way that can be audited to ensure compliance with the new GDPR legislation.”
Curtis also warned that data storage, road tax, MOT and insurance documentation will need to be considered in light of GDPR. This extends to data management processes with supply chain partners, as compliance must also be proven and documented in written contracts.
“Storing … data is one of the key aspects of GDPR,” Curtis said. “We need to look at the systems data is stored in and whether it is in a secure environment.
“For example, do you have Excel spreadsheets and email them around; is the email channel encrypted; are the computers those spreadsheets are saved on encrypted?”
Fleet industry body ACFO states that drivers will also need to delete data from digital vehicle systems such as satellite navigation and integrated mobile phone systems. Drivers may need to be encouraged to delete their data or reset to factory settings ahead of de-fleeting or returning company car and hire vehicles.
The ADLV reports that its members are advising customers on changes being made by the DVLA and how to ensure compliance with GDPR.