Follow us

Follow us on TwitterFollow us on LinkedinOn the 25th of May important changes to UK’s privacy laws will be enacted.
The changes to the data protection laws will affect anyone who collects and processes personal information including licensed private hire and taxi companies that collects of information when, for example, accepting bookings for a journey.  The relevant types of information may include information such as names, addresses and contact details.
These changes will require greater accountability and transparency from, in this case, licensed private hire and taxi companies on how they collect and process customer’s personal information.
In this article I will briefly look at the new data protection rules and what the implications are for the taxi and private hire sector.  I will focus the article on the business/customer interaction but it is worth noting the same obligations also pertain to employees and licensing authorities.

A brief introduction to General Data Protection Regulation (“GDPR”)

GDPR is an EU General Data Protection Regulation which will replace the Data Protection Act 1998 on the 25th of May.  GDPR does not represent a complete overhaul of data protection laws in the UK but it does place a much greater emphasis on businesses being accountable for and transparent about data processing and introduces more stringent penalties for data breaches and non-compliance with the regulation.
GDPR sets out a number of data protection principles that sets out the main responsibilities for organisations. GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Under GDPR you are either or both a ‘controller’ and/or a ‘processor’.  A controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller.

What information does the GDPR apply to?

GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
“Processing” personal data refers to any operations performed on this personal data (whether those operations are automated or not). Common types of personal data processing include (but are not limited to) collecting, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing, and destroying data.

Processing personal information lawfully

If you process personal data, you must have a lawful basis for doing so. Under GDPR, there are six lawful bases for processing information:

  1. By consent
  2. Contract
  3. Legal obligation
  4. Vital interest
  5. Public task
  6. Legitimate interest

As a licensed taxi or private hire company (including self-employed), the lawful basis for processing personal information will most likely be by consent or contract.
For example, when someone books a journey with you, you are for all intents and purposes entering into a contract, or in other words, you agree to provide a service in exchange for payment.  In order for you to fulfil your part of the contract obligation you will need to collect and process information such as names, contact details, address etc.  Under GDPR, a contract does not have to be a formal signed document, or even written, as long as there is an agreement which meets the requirements of contract law. In general, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value).

Be aware of your obligations towards your customers

As I previously stated, GDPR places a greater emphasis on transparency and the rights of individuals. GDPR now provides the following rights for your customers:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

If you collect and process personal information from customers, you now have very specific obligations towards the individuals whose information you collected and processed.

Right to be informed

Your customers have the right to be informed about the collection and use of their personal data.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’ and you must provide privacy information to individuals at the time you collect their personal data from them.
The Information Commissioner (ICO) does not prescribe what form privacy information should take but usually it is published as a privacy statement on a business’ website where customers can be directed to.
Whatever form your privacy statement takes, it must contain the minimum information outlined above and must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
If you obtain personal data from other sources, you must provide individuals with privacy information.  This is relevant to, for example, sub-contracting where an operator will pass on a booking to another operator.   It is advised that a general reference to the possibility of sub-contracting be included in your privacy statement to cover off any potential issues that may arise as a result of this.

Other user rights

Under the GDPR, individuals will have the right to access their personal data.  You will be required to provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The right to access is a fundamental transparency requirement under GDPR but also acts as a means for individuals to have inaccurate personal data rectified or completed if it is incomplete.  An individual can make a request for rectification verbally or in writing.
You must therefore ensure that you have a procedure in place for any subject access requests and make sure staff is trained to deal with this.  The ICO have advised that instructions on how to make requests be included in privacy statements.
One final but important point on your customer’s rights under GDPR is the right to have their personal data erased or otherwise known as the right to be forgotten.  This right applies when:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • you have to do it to comply with a legal obligation; or
  • you have processed the personal data to offer information society services to a child.

Direct marketing

One of the most significant areas of change under GDPR is consent.  As I have already explained, under GDPR you must have a legal basis for processing people’s data.  This includes processing their data for the purpose of direct marketing.
Before GDPR, it was common practice for businesses to add people’s information to mailing or marketing contact lists purely because they may have expressed an interest in products or services they offer.  More relevant to a licensed taxi or private company might be for customer contact detail to be added to a mailing list purely because they have in the past used the services of the operator.
This is no longer permissible.  GDPR has made it absolutely clear that the only way businesses can process people’s information for the purpose of direct marketing is through explicit consent.  This means that consent requires a positive opt-in and the use of pre-ticked boxes or any other method of default consent is no longer permitted.
The ICO has been very clear that explicit consent requires a very clear and specific statement of consent (or a privacy statement) and consent requests must be kept separate from other terms and conditions.
If you have existing mailing or marketing contact lists (pre-GDPR), you will need to contact people whose information is on that list in order to get their express consent otherwise you will not be able to lawfully use their contact details for direct marketing.

Where do you store customer’s data?

GDPR imposes restrictions on the transfer of personal data outside the European Union.  It does so to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
If you store your customer’s information on electronic systems, it is important to check where the servers and other IT equipment used to store any information is located.

Data breaches

A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ also known as the ‘security principle’.   This means that you now have a statutory responsibility to process personal information in such a way that it is secure.
You have a statutory duty to report certain types of personal data breachs. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

In summary

The changes brought about by GDPR can be overwhelming especially for smaller businesses.  It is important however to get to a place as a business where you are able to demonstrate GDPR compliance.  Even if by the implementation date you are not GDPR compliant, it is important to evidence the fact that you are working towards compliance.
The ICO can impose substantial financial penalties (fines of up to 20million Euros/2-4% of your annual turnover) but also issue warnings and reprimands, impose temporary or permanent ban on data processing, order the rectification, restriction or erasure of data and suspending data transfers to third countries.
The alternatives to a fine may seems less significant however public warnings and reprimands could have severe reputational implications for a business.  Furthermore, a temporary or permanent ban on data processing can be devastating for a licensed private hire and taxi company because it will in effect render the business unable to operate.
GDPR contains explicit provisions about documenting your processing activities.  Whether you are compliant or working towards compliance, the list below is a helpful start to check your compliance or guide to work towards compliance:

  • adopting and implementing data protection policies;
  • taking a ‘data protection by design and default’ approach;
  • putting written contracts in place with organisations that process personal data on your behalf;
  • maintaining documentation of your processing activities;
  • implementing appropriate security measures;
  • recording and, where necessary, reporting personal data breaches;
  • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
  • appointing a data protection officer; and
  • adhering to relevant codes of conduct and signing up to certification schemes.


Taken from the June 2018 PHTM edition.  This article was written by Stephen Mccaffrey, Head of Kings View Chambers & Taxi Defence Barristers.