Mobility Research

Implementing General Data Protection Regulation in practice: Going beyond updating your privacy policy

[fa icon="calendar"] 06-Jun-2018 14:25:15 / by Mobiag



General Data Protection Regulation is in full swing and most of us are already tired of hearing the name or getting privacy policy update emails. However, it’s important to recognize that this regulation has a crucial impact on how we conduct business. Data has become the main fuel for any business growth and this is particularly true in mobility business, where we rely on data to monitor in real time not only demand and supply of our service but to see future possibilities for growth.

Most businesses have already consulted their legal teams and updated privacy policies. However, this is just the beginning and making appropriate changes in practice can be much harder. If you are in shared-mobility business, you probably collect personal data from your users, such as their full name, email address, credit card number, driver’s license, their location preferences and monitor the trips taken by individuals. Based on these you probably also have marketing campaigns implemented. Before going forward, it must be noted that the regulation and its application is quite complex and requires a frequent evaluation of your policies and processes by legal teams, as well as, data and data practice audits. With that in mind here are some general guidelines how to apply the rules set by regulation in practice.


Does GDPR apply to you?

If you are in the shared-mobility industry, rent-a-car and carsharing business and operate in EU (have users in the EU, no matter whether your actual office is in the EU), GDPR most likely applies to you, as you collect and manage user data. Application of GDPR doesn’t take into account size of your business, it applies to any operator which processes personal data. Based on your practices, you might have to keep records of your data processing activities. Generally, companies with less than 250 employees are free from this part of the regulation, but if data processing is regular activities, the rules will apply. In most carsharing businesses, data processing is a regular activity.

Another important part is a rule concerning a Data Officer. Generally, if data processing isn’t core part of your business, then you don’t need to have a Data Officer. However, in most carsharing operations some sensitive data might be kept (such as Driver’s License information that might reveal the ethnic or racial background of a user). In this case, you will need to have a Data Officer. If you are a Business-to-Business operator, you can process information on your clients (business) freely, as the regulation only applies to natural persons and not legal persons. However, if you also provide data processing for your client (processing personal data of your client’s users), you need to ensure that appropriate consent is acquired by your client from its users, and your data policies are coordinated properly, so the final user knows who is processing data. GDPR rules still apply if you are processing “professional” data of users. For example, if your client is a business that offers carsharing service to its employees and they use their professional contact information (, this would still be considered as a processing of personal data and you have to apply GDPR rules. Please also note that the manner in which the personal data is collected and kept (whether you do it through the web or through pen and paper) is irrelevant and the same rules apply. Processing methods are also irrelevant, whether such processing is done manually by an individual or by an algorithm. You need to ensure that methods that algorithm uses are clearly demonstrated to the user.


Collecting personal data

When collecting personal data you need to fully understand why each part of the data is needed and what it is used for. In past, a lot of companies relied on data maximalism, more data you collect, more informed your decision might be. Setting aside whether that idea is correct, it can no longer be used. The regulation sets data minimalism principle. In practice, this means, every data category collected has to be required for providing the service that the user is requesting from you. You shouldn’t collect anything more than that. Adding more data categories in your privacy policy, or defining data categories broadly, like in old-time Terms of Agreement documents, and getting consent to gather that data from your user could be considered a breach of the regulation. So you can’t just rely on getting “I agree” at the end of Terms of Agreement anymore, you need to proactively change the data you collect if that data collection is excessive.

Depending on your business type and operations, you most likely are collecting full names, email addresses and passwords of users for account management purposes. This collection remains unchanged, as it is a crucial part of most businesses. Driver’s license, credit card information and insurance information are usually also important parts of the carsharing and car rental business and therefore, there is a quite strong legal ground for collecting that information. Please keep in mind that in some cases Driver’s license can be considered as sensitive information if it reveals the racial or ethnic origin of a person. Collecting sensitive information imposes additional rules on your business.

Location information is also usually collected. This part is a bit more complex. Location information collected during the actual trip can be considered as a crucial safety information for your business as well as for the user safety. However, after the trip is over, keeping that location information and linking it to the user data can be a bit problematic and requires serious legal evaluation. Generally speaking, since the location data is no longer required after the trip is completed, it should be deleted, or pseudo-anonymized. This means you can keep location information of the vehicle but it shouldn’t be linked to a specific user and should be kept separate. It should not be possible to combine location information you pseudo-anonymized and user information kept by you to get user location information history unless there are very strong legal grounds for this. Depending on type of service you provide, you might be able to keep user-linked location information for some time after the actual trip has taken place (for example, a user has taken a trip to a certain location, and you want to keep that information, so you can check for vehicle damage, when the next user opens the vehicle, so you can properly allocate responsibility for any damage to the vehicle). The time you keep location data has to have legitimate grounds, and cannot be unproportionally long. For example, keeping location data for 3 months (if appropriate legal grounds exist) seems more proportional than keeping data for 5 years. Again, just getting a consent on this from a user doesn’t automatically make you compliant with GDPR, you need to evaluate why and for what purposes you use the location data.

Another issue is the use of email address for various purposes. When a user signs up for your service, the general expectation is that the email address will be used to manage their account identity. You are also allowed to send service emails, such as invoice at the end of the trip, vehicle information or vehicle damage claim. If you want to send promotional emails, such as discounts, you should get a separate consent for this purpose. Generally, data can be used only for the purpose for which it was collected or closely related purpose. In this example, sending direct promotional emails could be considered as a legitimate interest of your company. However, You need to include opt-in for marketing emails when users sign up (not opt-out, the option cannot be already clicked when the user is signing up) and provide a possibility not to receive these emails.

Beyond your clients, you can still use third-party lists or leads for your marketing purposes to acquire to customers, as long as the information in that list was acquired in compliance with GDPR regulation, users where notified that collected information would be passed to a third party and it would be used for marketing purposes, and the information in the list is up-to-date and none of the individuals have withdrawn their consent to processing their personal information. You need to notify these individuals when first contacting them that you acquired data from a third party and it will be used to send them marketing emails.

We assume you have already updated your privacy policy and cookie policy on your website to reflect how you monitor the users that visit your website.

You also need to give your users an opportunity to request the full data that you have on them. This can be done by contacting your Data Officer or downloading data straight from your platform. Since the data stored is important, you need to ensure you have appropriate identity verification process when data is requested. Just getting an email from a known email address might not be enough to verify that the requester is indeed the person whose data you have stored.

Whether any technical security changes will be needed, depends on your current practices. Most companies already use end-to-end encryptions when exchanging sensitive information with a client. If you haven’t implemented end-to-end encryption, you most likely have to, as the regulation requires that personal data be collected and saved in a secure way. Data storage should also have strong security measures. For security reasons, you are also allowed to keep some types of data, such as IP address, or other data that is considered important for the security of your network.

This is just a tip of a very complex regulation, and you should evaluate your data practices, beyond just updating privacy policy. If you run large-scale operations, you might be under an obligation to do Data Protection Impact Assessment, as defined by National Data Protection Authorities. Implementing Data Protection Impact Assessment, or adhering to Code of Conduct developed by the appropriate business association and approved by DPA, or getting certified by the appropriate certification authority in your country signals that you adhere to General Data Protection Regulation and gives confidences to your customers.

Trust in data protection and minimal processing is bound to become a crucial part of the service that we as mobility operators provide. Even beyond the regulation, it is important to recognize that users are well-aware of data practices and want to ensure that they can trust service providers with their data. We as businesses have a responsibility to ensure that trust is earned.

Recent Posts