Planning to meet data protection requirements

Plan for data protection. These activities should be incorporated into the planning phase of other business projects. They include:

• Application of the principles of data privacy by design and default
• Facilitation of Data Protection Impact Assessments
• Identification of critical terms for processors and sub-processors

Managing a Mobile Workforce

A company is planning to introduce a data-based service to help it manage its fleet of vehicles and its mobile workforce. The company will gain efficiencies in the use of its mobile workforce as a result of this new service and anticipates a reduction in the costs.

Although the system will track the vehicles, the data gathered can be related to the driver and therefore is personal data.

There are many data-related decisions that the company will need to consider, including:

• What is the legal basis for collecting the data?
• What data will be collected?
• How long will it be retained?
• Is it special category data?
• Who needs access to it?
• How will the data subjects be notified?

Data Protection Impact Assessment

A data protection impact assessment is a formal process to consider these questions and assess the risks to the rights and freedoms of the drivers.

This assessment identifies the risks. If there are high risks , then they will need to consult with the Data Protection Commission, and the Data Protection Commission will need to approve the service and controls the company can start collecting data.

If the company had previous experience with similar data processing activities, a data protection impact assessment is not required. The company should have an understanding of the risks and established mitigating actions. The company must document the reasons.