Understanding Your UK GDPR Obligations: Using Your Private Vehicle for Business, Satnavs, Dash Cams, Mobile Devices, and the Need for Regular Data Deletion​​

This is particularly relevant to Healthcare Professionals as well as commercial practitioners...

If you use your private vehicle for business purposes, whether it’s for house calls, client visits, or any other work-related activities, it’s important to understand your obligations under the UK General Data Protection Regulation (UK GDPR). Many of us don’t think twice about entering client addresses into a satnav, using a dashcam for security, or checking work messages on our phones. However, these everyday actions can result in the collection of personal data, and that data is subject to strict data protection laws.

​

While these obligations are particularly relevant to those using their own vehicles for business, it’s important to note that the same rules apply when using company vehicles, too. Whether you’re driving your own car or a company vehicle, if you’re collecting and processing personal data, you have responsibilities as a Data Controller.

​

The Data Controller’s Responsibilities

Under the UK GDPR, businesses that use satnavs, dashcams, and mobile devices to collect personal data—whether in private or company vehicles—are considered Data Controllers. This means your business is responsible for any personal data that is collected, stored, and processed through these devices. The same rules apply whether you're using your private vehicle for work-related tasks or driving a company car.

​

Personal data in this context can include location data (from satnavs), video footage (from dash cams), and even information stored on mobile devices, such as contact details, messages, and GPS coordinates. As a Data Controller, it’s essential to ensure this data is processed and handled in compliance with the UK GDPR.

​

Data Captured by Satnavs

When entering client addresses into a satnav system, businesses are processing personal data. Client addresses can identify individuals, or when combined with other data, can reveal sensitive personal information. Therefore, the data entered into satnavs for business purposes is subject to the UK GDPR.

​

As a Data Controller, it’s essential to ensure that any data entered into satnavs is processed lawfully. This includes obtaining consent from clients when necessary, ensuring the data is used only for its intended purpose (navigation), and being transparent with clients about how their data will be used and stored. Additionally, this data could be subject to a Subject Access Request (SAR), which means clients or employees may request to see the personal data you hold about them. You must be able to provide this data in compliance with the UK GDPR.

​

Dashcam Footage

Dashcams record video footage that may include personal data, such as images of individuals, number plates, or even sensitive incidents. This footage may also capture information about clients, pedestrians, or other road users, making it subject to the UK GDPR.

​

Businesses must ensure that any dash cam footage is processed in line with data protection laws. This means footage should only be retained for as long as necessary and stored securely, with clear procedures in place for deleting it once it’s no longer needed. Furthermore, footage may be disclosed under a Subject Access Request (SAR), so businesses must be prepared to handle these requests in accordance with the law.

​

Mobile Devices: Phones, Satnavs, and Messaging

Many employees use mobile phones—either business-issued or personal—to carry out work-related activities, such as communication, navigation (via satnav apps), or messaging clients. These devices may store personal data, such as client contacts, messages, or location data, which is classified as personal data under the UK GDPR.

​

Business-issued mobile devices and satnav devices should be treated with the same level of care as any other device that collects personal data. This includes ensuring that appropriate security measures are in place to protect the data, as well as clear policies for the use and retention of personal data.

​

For those using personal mobile devices for company business (such as using your personal phone for work calls or navigation), it’s crucial to manage and protect any personal data stored on these devices. This means regularly deleting unnecessary data, especially when the device is used for both personal and business purposes. Employees should also be aware that if they sell or change their device, they may unintentionally pass on personal data to the new owner. Data could remain in the phone’s memory, satnav history, or messaging apps, and the new owner could access this information if the device is not properly wiped.

​

Using Personal Vehicles for Business

When using a private vehicle for business, employees must be particularly vigilant about how data is managed. If the vehicle is shared with family members or others, there’s a risk that personal data, such as client addresses stored in the satnav or footage from a dash cam, could be accessed by others.

​

Additionally, if the vehicle is sold or transferred, personal data could be unintentionally passed on to the new owner if the devices are not properly wiped. The satnav, dash cam, and phone memory may still contain personal data, which could lead to an inadvertent data breach.

Remember, this is equally applicable to company vehicles. Whether you're using your own car or a company vehicle, the same data protection rules apply. Proper care must be taken to protect any personal data stored on satnavs, dash cams, or mobile devices.

Compliance with the UK GDPR and the DPA 2018

​

To ensure compliance with the UK GDPR and the DPA 2018, businesses should implement the following practices:

1. Data Minimisation: Only collect the personal data necessary for business purposes, such as client addresses for navigation or relevant footage for safety purposes.

2. Transparency: Ensure clients and employees are informed about the data being collected and how it will be used. This could involve providing information via client-facing documentation or signage in vehicles.

3. Security: Implement robust security measures to protect personal data, including encrypting data stored on mobile devices and ensuring dash cam footage is securely stored.

4. Retention and Regular Deletion: Retain data only for as long as necessary and ensure it is securely deleted when no longer required. Regularly clear data from mobile devices, satnavs, and dashcams to avoid unintentional data retention.

5. Employee Training: Provide clear guidelines and training for staff on their data protection responsibilities, including how to handle personal data stored on satnavs, dashcams, mobile phones, and personal vehicles.

While these obligations may seem pedantic, they are very important, especially for those whose data is being processed. The key step forward for companies and staff is developing awareness and adopting best practices. By doing so, businesses can mitigate the risks of unintentional data breaches and ensure personal data is handled responsibly and in compliance with data protection laws.

Whether as the staff member, or the business owner, you really don't want something like this to be the cause of reputational damage and fines that could follow a data breach.

​

© Hebborn Consultancy Ltd. 2025