This is particularly relevant to Healthcare Professionals as well as commercial practitioners...

(Updated Nov 25 to incorporate the DUAA 2025)

Using Your Own Car for Work? Do Not Forget Your Data Protection Duties

Most people jump in their car, tap an address into the satnav, switch on the dashcam and get on with the day. Fair enough. But the moment you use your private vehicle for work such as house calls, site visits or client meetings, you are processing personal data.

Once personal data enters the picture, the UK GDPR, the Data Protection Act 2018, PECR where relevant, and the Data Use and Access Act 2025 all apply.

The same applies if you are driving a company vehicle. The regulations do not care whose name is on the logbook. If you are collecting or storing personal data in that vehicle, you are acting as a Data Controller and the obligations sit with the organisation.

This is where a lot of businesses get caught out.

What You Are Actually Collecting

Using a vehicle for work can quietly gather far more personal data than most people realise:

• Client addresses or postcodes typed into a satnav

• Dashcam footage that includes faces, number plates and incidents

• Messages, contacts, call logs and GPS data on mobile phones

• Journey histories stored in the vehicle system

• Telematics data in company vehicles

All of this is personal data. Under DUAA 2025, some of it will also fall into operational data that must be logged.

Your Responsibilities Under UK GDPR, DPA 2018 and DUAA 2025

1. You are a Data Controller whether it is your car or the company’s

If your business decides why and how the data is processed, it is the Data Controller. That brings with it the usual requirements of lawful basis, transparency, minimisation, retention, SAR handling, security and accountability.

DUAA now adds further duties which include:

• Section 9 mandatory logging of access, alteration and disclosures

• Section 14 accountability records covering what data was processed and for what purpose

• Stronger expectations around organisational oversight and governance

• A clear reporting line to the Accountable Person

If you allow staff to use their own vehicles for business, those vehicles effectively become part of the workplace in data protection terms.

Satnavs

Entering a client’s address into a satnav is data processing.

You must:

• use the data only for navigation

• be transparent with the client

• remove the data once no longer required

• be able to locate or explain deletion if a SAR is made

Satnav histories can be disclosable.

Dashcams

Dashcams capture faces, number plates and events. That is personal data.

You must ensure:

• a lawful basis for recording

• clear retention periods

• secure storage

• proper deletion

• the ability to respond to SARs

• logging of access under DUAA where applicable

Selling or disposing of a dashcam without wiping it properly can expose personal data and would normally count as a reportable breach.

Mobile Phones

Whether the phone is company issued or personal, using it for work means it will hold personal data.

Organisations must ensure:

• adequate security

• controlled access

• deletion policies for old data

• separation of work and personal data where possible

• DUAA logging where applications sync or transmit operational data

Replacing or selling a phone without wiping it correctly can leak years of client information.

Using Your Own Vehicle

If you use your private car for business, be aware that:

• satnav histories may be visible to other family members

• dashcam clips may be accessed casually

• a shared car increases the risk of accidental access

• selling the car without resetting the infotainment system may hand over personal data to a stranger

Clients would not expect their address history to appear on someone else’s dashboard.

Company Vehicles

Many company vehicles carry additional systems such as telematics, tracking and driver behaviour monitoring. These require:

• Article 13 and 14 transparency

• appropriate retention periods

• DUAA logging where relevant

• inclusion in your ROPA

• meaningful supervision by the Accountable Person

How to Stay Compliant Without Making Life Hard

1. Data Minimisation

Only keep what you genuinely need. Clear satnav routes, delete dashcam footage when no longer required and remove unnecessary messages from devices.

2. Transparency

If staff are monitored through vehicle systems, tell them in clear terms.

3. Security

Encryption, passwords, physical security and sensible cloud controls.

4. Retention and Deletion

Short retention periods. Wipe devices properly. Reset vehicle systems before disposal or resale.

5. DUAA Logging

Keep the required logs under Section 9 and Section 14. Record decisions, access and sharing. Maintain proper governance records that show who processed what and why.

6. Training

Staff need to understand that satnavs, dashcams and mobile phones form part of the organisation’s data protection environment.

Final Word

This is not difficult. It is simply treating the data in your vehicle with the same care you give to the data on your laptop or in your filing system. Whether you are the employee on the road or the business owner carrying the risk, you do not want the contents of a satnav or an old memory card causing embarrassment, investigation or fines.

© Hebborn Consultancy Ltd. 2025