GDPR and Driving Schools

GDPR and Driving Schools

15th May 2018

What is GDPR and how will it affect my Driving School? 

GDPR stands for General Data Protection Regulation, Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive, upon which current UK law is based on.

A new set of data protection laws come into force across the EU on May 25 and - until Brexit comes to pass - the UK must comply along with the rest of Europe. 

The new rules are intended to overhaul how businesses process and handle individuals' personal data, this includes driving schools, even if you are a paper-based and don’t use anything IT or electronic. 

Until Britain formally departs from the European Union, the laws will effectively replace the old Data Protection Act (1998) when they come into effect in May 2018.

The Data Protection Act 1998 wasn't written with the contemporary uses of data enabled by the internet and services - such as Facebook and Google - in mind.

According to the EU's GDPR website, the legislation is designed to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals.

It includes new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines. In essence, if you hold any information about your pupils/clients and it is personally identifiable to that person, then you need to be GDPR compliant. So, this includes Name, Address, Telephone number, Driving Licence details etc etc.

What do driving schools need to do differently? 

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA). 

If you are complying properly with the current law (data protection), then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. 

However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently. My GDPR pack will contain all the necessary information for GDPR best practices.

What is 'consent' under the GDPR? 

You may have recently received emails from firms asking if you'd be happy to "stay connected" or from websites such as Google or Facebook (including aps) asking that you "review your terms". 

That's because, under GDPR, consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.

Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. 

If your current model for obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.

I will be creating a GDPR pack over the next few days especially for driving schools which will contain all the information, documents and guides which will make your driving school GDPR compliant.

What happens if you break GDPR rules? 

The GDPR grants regulators the power to fine businesses that do not comply with it. 

In the UK, the Information Commissioner's Office (ICO) would be able to levy fines of up to £8.8m (€10m) or two per cent of a firm's global turnover (whichever is greater). 

Those guilty of more serious breaches could face larger fines of up to £17m (€20m) or four per cent of global turnover. 

These penalties are significantly higher than the £500,000 charges the ICO is currently able to dole out.

Here are just some samples of information that you should have in place

  • You must have a privacy policy in place (to provide processing information)
  • Right to access – Your pupils have the right to access their personal data
  • Right to rectification – Your pupil’s rights to request rectification of their data if not accurate
  • Your pupil’s rights to restrict you of processing their personal data
  • Right to erasure
  • A document explaining why you need a pupil’s data
  • A document which informs your pupil what you intend to do with their data
  • How long the data will be stored for and how it will be stored
  • Make clear the contact details of your business
  • How their data will be erased

The above list is by nowhere an exhaustive list, it’s just to give you an idea about some of the processes you need to put in place for data control and data processing.

Keep an eye out over the next few days for our Driving School GDPR pack or get in touch with us if you have any questions.


This Blog is not the same as legal advice, where a solicitor guides you about the law to your specific circumstances, so we insist that you consult a solicitor if you’d like advice on interpretation of this information or its accuracy. In a nutshell, you may not rely on this Blog as legal advice, nor as a recommendation of any particular legal understanding but use the above information purely as a guide.