October 29, 2020

Managing Fleet Risk Part 5

Managing Fleet Risk | Legal Risk

In this final post in our series of five on managing fleet risks, we look at the specific decisions and actions that need to be taken to manage the legal aspects of fleet risk.

The series has covered the fleet risk topics below and links are provided to the previous posts:

  1. Strategic Aspects of Risk
  2. Financial Risk
  3. Reputational Risk
  4. Human Resource Risk
  5. Legal Risk

We also have a comprehensive PDF report which includes all of the topics covered in this series – simply click here if you would like to receive your copy by email.

Legal Risk

In many ways, the risks of being non-compliant with the various laws related to driving at work are mitigated by considering the items covered previously. If measures are in place to deal with HR, Financial and Reputational risks then it’s likely that you’ll have gone a long way to fulfilling your Duty of Care to workplace drivers.

However, without the correct policies and management systems in place, it can be difficult for an organisation to demonstrate that it is doing everything possible to reduce work related driving risks and to keep its drivers safe.

The Health and Safety Executive suggests that while formal management systems are not always required, it is good practice to follow a systematic approach that will help to embed the required processes and behaviours in the business. The approach that they promote is one of Plan, Do, Check, Act. We’ll take a look at this approach and what it means from a practical perspective for fleets.

1. Plan – This is about assessing your current situation, determining your objectives and developing a plan for work-related risks. The steps within this are likely to include:

  • Carrying out an assessment of the work-related road safety risks that currently exist within the organisation. This would include:
    • How the organisation uses the road; the employees involved, the vehicles they use and the types of journeys undertaken.
    • What risks this road use generates to employees and others, plus the potential consequences of those risks.
    • What measures need to be put in place to effectively manage and reduce these risks and consequences.
  • Developing a road health and safety policy based on the identified risks that determines how key items will be managed. This would include many of the items covered previously such as:
    • Vehicle suitability, maintenance and condition
    • Accident management and reporting
    • Driver assessment, licence checking and declarations
    • Grey fleet management
    • Driver health and fatigue prevention
    • Alcohol and drugs
    • Use of mobile devices
    • Journey planning
  • Determining and recording roles and responsibilities for work-related road safety, plus lines of communication and reporting.

2. Do – This is about implementing your plan and ensuring that the policies and procedures within it are understood and adhered to. This should include:

  • Determining the biggest risks to the organisation’s fleet and the priority areas to address.
  • Deciding on the preventive and correctional actions required and implementing them.
  • Ensuring that the right resources, training and information are in place both to implement the actions and to maintain them over time.
  • Delivering clear communication for all employees to ensure everyone is clear about their fleet related health and safety responsibilities.

3. Check – This is about measuring your performance against your fleet risk objectives. This should include:

  • Assessing how successful the organisation has been at implementing its plans. It’s important to note that while documentation of actions taken is useful, it’s the tracking of incidents and analysis of whether fleet risk is actually being reduced that is essential.
  • Encouraging employees to report all incidents, no matter how minor.
  • Investigation of fleet incidents, and even near misses, to identify the causes and determine any failures in the risk management processes.
  • Undertaking formal audits, particularly in the case of major fleet incidents, to identify changes that need to be implemented to prevent any recurrence.

4. Act – This refers to using the information collected as part of your fleet risk management processes and analysis to improve future performance. It should also include being aware of improvements to industry best-practice and implementing any learnings from this.

As the amount and depth of information increases, it should also be possible to identify those drivers at greatest risk and take preventative action to reduce incidents. A further action would be to revisit all risk policies and processes to ensure that they are still fit for purpose. To read more about the Plan, Do, Check, Act approach visit the HSE website.

Business admin

Fleet data risks and GDPR

The introduction of the General Data Protection Regulation, or GDPR, in 2018 has meant a number of fundamental changes in how fleet data is treated. The regulation aims to give individuals increased control over their personal data and also introduces a requirement to report data breaches that meet certain criteria to the Information Commissioner’s Office (ICO). There are a number of concepts under GDPR that have created new risks that need to be understood and managed, these are discussed below.

Personal data

The definition of ‘personal data’ includes items that would not previously have been considered, such as IP addresses, mobile device identifiers and ‘pseudonymous data’ which may have been encrypted but is still traceable to an individual.

Perhaps the key take-out here from a fleet perspective is that data collected via telematics devices on location, speed and driving style are likely to be construed as personal data under the new rules.

Employees driving for business must be made aware of the types and depth of information being recorded, what uses it could be put to and how they are able to access it and request its deletion. If these measures are not in place, the organisation is under considerable risk of breaching GDPR.

Data handling

One of the other key changes under GDPR relevant to fleets is that drivers must consent to their data being collected, stored and used. In many instances, the driver will have given this consent within their employment contract. If this is not the case, then the creation of an addendum to the contract, or the signing of a separate declaration of consent is advisable to mitigate risk of a breach.

In addition to consent, there are other circumstances that allow an organisation to handle and process personal data, these include compliance with a legal obligation and where a ‘legitimate interest’ exists. Organisations can process data without consent of the individual if they are deemed to have a legitimate interest in doing so. This could include administrative purposes (e.g. running payroll), prevention of fraud, health and safety, security and market research.

The key here is that the processing of the data does not interfere with individuals’ rights, freedoms, and legitimate interests.

Breach mitigation

As fleet managers are responsible for a wide range of drivers’ personal data, it’s important that all of the processes for collecting, using, storing and deleting this are documented and regularly reviewed.

A good way to ensure compliance with GDPR’s requirements is to conduct a Data Protection Impact Assessment on all of the data collection processes involved in managing the fleet. In the ICO’s own words:

‘A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.’

In other words, it assists in demonstrating that you have considered all of the risks related to the processing of data for a particular business process or project. To find out more about DIPA’s visit: https://ico.org.uk/.

It’s also important to recognise that the fleet manager’s responsibilities for drivers’ data extends beyond the business to any relevant suppliers. This means ensuring that their processes are also GDPR compliant and that drivers’ data is secure.

For more information on GDPR visit the Government’s site.

Speak to the experts

The expertise required to manage all forms of fleet related risk is unlikely to reside with a single individual or role in the organisation. To ensure that important elements of risk are not overlooked, and to develop the most robust approach to managing and reducing fleet-relate risks, it’s advisable to seek expert input. To read more about CLM’s approach to fleet risk management and to contact us for a no-obligation discussion click here.

If you have missed any of this series, or would like to review any of the content covered, we have produced a comprehensive PDF report which includes all of the risk management topics – simply click here to download.