Most businesses have already consulted their legal teams and updated privacy policies. However, this is just the beginning and making appropriate changes in practice can be much harder. If you are in shared-mobility business, you probably collect personal data from your users, such as their full name, email address, credit card number, driver’s license, their location preferences and monitor the trips taken by individuals. Based on these you probably also have marketing campaigns implemented. Before going forward, it must be noted that the regulation and its application is quite complex and requires a frequent evaluation of your policies and processes by legal teams, as well as, data and data practice audits. With that in mind here are some general guidelines how to apply the rules set by regulation in practice.
Does GDPR apply to you?
If you are in the shared-mobility industry, rent-a-car and carsharing business and operate in EU (have users in the EU, no matter whether your actual office is in the EU), GDPR most likely applies to you, as you collect and manage user data. Application of GDPR doesn’t take into account size of your business, it applies to any operator which processes personal data. Based on your practices, you might have to keep records of your data processing activities. Generally, companies with less than 250 employees are free from this part of the regulation, but if data processing is regular activities, the rules will apply. In most carsharing businesses, data processing is a regular activity.
Another important part is a rule concerning a Data Officer. Generally, if data processing isn’t core part of your business, then you don’t need to have a Data Officer. However, in most carsharing operations some sensitive data might be kept (such as Driver’s License information that might reveal the ethnic or racial background of a user). In this case, you will need to have a Data Officer. If you are a Business-to-Business operator, you can process information on your clients (business) freely, as the regulation only applies to natural persons and not legal persons. However, if you also provide data processing for your client (processing personal data of your client’s users), you need to ensure that appropriate consent is acquired by your client from its users, and your data policies are coordinated properly, so the final user knows who is processing data. GDPR rules still apply if you are processing “professional” data of users. For example, if your client is a business that offers carsharing service to its employees and they use their professional contact information (firstname.lastname@example.org), this would still be considered as a processing of personal data and you have to apply GDPR rules. Please also note that the manner in which the personal data is collected and kept (whether you do it through the web or through pen and paper) is irrelevant and the same rules apply. Processing methods are also irrelevant, whether such processing is done manually by an individual or by an algorithm. You need to ensure that methods that algorithm uses are clearly demonstrated to the user.
Collecting personal data
Depending on your business type and operations, you most likely are collecting full names, email addresses and passwords of users for account management purposes. This collection remains unchanged, as it is a crucial part of most businesses. Driver’s license, credit card information and insurance information are usually also important parts of the carsharing and car rental business and therefore, there is a quite strong legal ground for collecting that information. Please keep in mind that in some cases Driver’s license can be considered as sensitive information if it reveals the racial or ethnic origin of a person. Collecting sensitive information imposes additional rules on your business.
Location information is also usually collected. This part is a bit more complex. Location information collected during the actual trip can be considered as a crucial safety information for your business as well as for the user safety. However, after the trip is over, keeping that location information and linking it to the user data can be a bit problematic and requires serious legal evaluation. Generally speaking, since the location data is no longer required after the trip is completed, it should be deleted, or pseudo-anonymized. This means you can keep location information of the vehicle but it shouldn’t be linked to a specific user and should be kept separate. It should not be possible to combine location information you pseudo-anonymized and user information kept by you to get user location information history unless there are very strong legal grounds for this. Depending on type of service you provide, you might be able to keep user-linked location information for some time after the actual trip has taken place (for example, a user has taken a trip to a certain location, and you want to keep that information, so you can check for vehicle damage, when the next user opens the vehicle, so you can properly allocate responsibility for any damage to the vehicle). The time you keep location data has to have legitimate grounds, and cannot be unproportionally long. For example, keeping location data for 3 months (if appropriate legal grounds exist) seems more proportional than keeping data for 5 years. Again, just getting a consent on this from a user doesn’t automatically make you compliant with GDPR, you need to evaluate why and for what purposes you use the location data.
Another issue is the use of email address for various purposes. When a user signs up for your service, the general expectation is that the email address will be used to manage their account identity. You are also allowed to send service emails, such as invoice at the end of the trip, vehicle information or vehicle damage claim. If you want to send promotional emails, such as discounts, you should get a separate consent for this purpose. Generally, data can be used only for the purpose for which it was collected or closely related purpose. In this example, sending direct promotional emails could be considered as a legitimate interest of your company. However, You need to include opt-in for marketing emails when users sign up (not opt-out, the option cannot be already clicked when the user is signing up) and provide a possibility not to receive these emails.
Beyond your clients, you can still use third-party lists or leads for your marketing purposes to acquire to customers, as long as the information in that list was acquired in compliance with GDPR regulation, users where notified that collected information would be passed to a third party and it would be used for marketing purposes, and the information in the list is up-to-date and none of the individuals have withdrawn their consent to processing their personal information. You need to notify these individuals when first contacting them that you acquired data from a third party and it will be used to send them marketing emails.
You also need to give your users an opportunity to request the full data that you have on them. This can be done by contacting your Data Officer or downloading data straight from your platform. Since the data stored is important, you need to ensure you have appropriate identity verification process when data is requested. Just getting an email from a known email address might not be enough to verify that the requester is indeed the person whose data you have stored.
Whether any technical security changes will be needed, depends on your current practices. Most companies already use end-to-end encryptions when exchanging sensitive information with a client. If you haven’t implemented end-to-end encryption, you most likely have to, as the regulation requires that personal data be collected and saved in a secure way. Data storage should also have strong security measures. For security reasons, you are also allowed to keep some types of data, such as IP address, or other data that is considered important for the security of your network.
Trust in data protection and minimal processing is bound to become a crucial part of the service that we as mobility operators provide. Even beyond the regulation, it is important to recognize that users are well-aware of data practices and want to ensure that they can trust service providers with their data. We as businesses have a responsibility to ensure that trust is earned.