Driving data protection compliance: employee vehicle monitoring

What is vehicle monitoring and why?

Vehicle monitoring refers to the practice of collecting and analysing data related to the operation and usage of vehicles. Businesses are increasingly using employee vehicle monitoring to improve productivity, optimise management, and ensure safety, including the use of telematics systems consisting of GPS technology, onboard vehicle diagnostics and other inbuilt software. GPS technology enables organisations to monitor and manage their vehicles by collecting real-time data on location, speed, fuel use, and more. This data can be used for optimising routes, improving safety, and cutting costs. Vehicle telematics systems that combine GPS technology with other technology telematics, enable organisations to gain more sophisticated insights into driver behaviour, vehicle diagnostics, and fuel use. Apart from speed, a telematics system can capture details such as accelerator and brake usage frequency. Other monitoring tools, like dashcams and in-cabin cameras, can enhance security by recording footage inside and around the vehicle.

The monitoring of vehicle telematics systems enables organisations to gather a wealth of data, encompassing not just vehicle-related data, but also personal data such as employee whereabouts, driving habits and other activities. It may even be possible for organisations to collect personal data about third parties, such as passengers or other road users.

ICO launches consultation on new Data Protection Fining Guidance

On 2 October 2023, the UK's Information Commissioner's Office ("ICO") released its draft Data Protection Fining Guidance ("Draft Guidance"). The Draft Guidance provides a comprehensive overview of the legal framework underpinning the ICO's authority to levy fines, the conditions that warrant the issuance of penalty notices, and the factors that influence fine calculations. The Draft Guidance is now open for consultation until 27 November 2023.

Cracking down on cookies: Recent complaints and regulatory enforcement

While the rules relating to the use of cookies and similar tracking technologies in the UK and Europe are long established, it is only in recent years that we have seen a targeted focus by data protection authorities ("DPAs") to crack down on cookie-related compliance. This reaction from the regulators is partly a response to increasing complaints from data subjects and partly due to focused efforts by privacy activists calling for stricter regulation and enforcement action.

Breach response: How do we reconcile international incident and breach reporting requirements?

The exponential increase in the number of cybersecurity threats has led to privacy and security executives acknowledging the need for reconciliation of incident and breach reporting requirements.

ICO publishes new guidance on employee monitoring

On 3 October 2023, the Information Commissioner's Office (the "ICO") published new guidance on employee monitoring. This aims to provide practical advice to ensure that employers comply with their obligations under the UK GDPR and Data Protection Act 2018.

Snap into (ICO) action

Snap, Inc. and Snap Group Limited ("Snap") have received a preliminary enforcement notice from the Information Commissioner's Office ("ICO") over their potential failure to assess the privacy risks associated with the 'My AI' chatbot.  This notice came after an investigation revealing that Snap may not have adequately identified and assessed the risks to millions of 'My AI' users in the UK, including children aged 13 to 17.

Building data bridges: UK extends EU-US Data Privacy Framework


On 21 September, the Department of Science, Innovation and Technology published the Data Protection (Adequacy) (United States of America) Regulations 2023, which are set to come into effect on 12 October 2023. From this date, UK organisations will be able to transfer personal data to US entities certified under the UK Extension to the EU-US Data Privacy Framework (also known as the "UK-US Data Bridge") without the need to implement further transfer safeguards.

In anticipation of the UK-US Data Bridge, on 18 September, the US Attorney General designated the UK as a "qualifying state" under Executive Order 14086 ("Executive Order"). As a result, UK individuals can benefit from the oversight and redress mechanisms for US signals intelligence activities that have been introduced by the Executive Order.

India pushes ahead with new Digital Personal Data Protection Act

On 11 August 2023, India's new data protection legislation – the Digital Personal Data Protection Act 2023 – was enacted and published in the Official Gazette. The Act sets out obligations and rules for entities processing personal data, each referred to a Data Fiduciary, and the rights of individuals in respect of that processing, which the Act refers to as Data Principals.