GDPR compliance concept on laptop

With the rise in advanced GPS and online mapping software, tracking location data has never been easier or more useful to modern companies. You can use location-tracking information to trace your fleet of vehicles across the city. It can be used to target your content and best search results to the current location of a customer. You can even use it to quickly locate a lost or stolen mobile device that belongs to the company. But with great power comes great responsibility. Especially with the dawn of GDPR Compliance.

GDPR is the EU’s new regulations that require every EU and EU-related business to be more responsible with the personal data they collect and use. For those of you familiar with GDPR compliance, you already know that the regulations are designed to protect personal identifying information of both customers and employees because misuse or hacking of that information can be harmful.

You may now be wondering what all that has to do with locators, which aren’t personal at all. That is exactly what we’re here to talk about today.

Location as an Identifying Factor

Believe it or not, locator information can be just as revealing about a person as skimming their social media. Consider what a company might learn about a person using standard analytics just by following the location of their phone. The residential location and business location they visit most will reveal a home address and a workplace. The phone visits a bank and you know where that person banks. The phone visits a church regularly and you know the faith of your data subject.

Everything about where a person goes can reveal something personal and identifying about them. Where they shop, their favorite restaurant, the home addresses of their closest friends and relatives. In fact, when you look at locator data in this light, it’s easy to see why GDPR considers it sensitive and highly revealing information.

Even tracking the location of employees on the job can be revealing, depending on what is being identified. With precise enough location data, you can even reveal how quickly an employee drives. You can also determine the routes they prefer to take and their exact current location.

Risks of Tracking and Storing Location Data

The primary goal of GDPR in regulating personal data use is to protect EU citizens from harm. In the hacker-fearing world we live in today, it’s vital that companies acknowledge not just the intended supportive us of their data, but also the potential nefarious uses of the same data in the wrong hands.

Location data opens up customers and employees to a very specific set of risks depending on which ‘wrong hands’ the information falls into.

  • A hacker determined to commit identity theft, for example, could use a customer’s continuous GPS location data to determine their lifestyle and personal habits thus making it easier to impersonate the target. As we mentioned, a hacker can learn the bank a person uses, their church, their home, or use location data to track down their friends and family.
  • A hacker working with a real-world thief could use location data to predict or confirm when a person will be away from home, out to lunch, or stuck in the commute unable to stop an attack in action.
  • A stalker who gains access to tracking information by unlawfully accessing company data can find out the exact location of their target, allowing them to follow and even attack a person when they are most vulnerable and far from sources of help.
  • Even package thieves can make use of exposed location data by finding a way to waylay or steal from your delivery vehicles, potentially putting employees at risk.

These examples are only a small sample of the potential risks location data can pose if insecurely tracked and stored. Companies that use location data must acknowledge both the potential dangers and address ways to protect data subjects in order to keep them safe from both hackers and physical-world attackers.

The Requirement to Inform of Data Collection & Use

Once you acknowledge the risk of location data collection, the next step is to make sure your data subjects are informed and in control of how their data is used. GDPR now requires all EU citizens to be informed when their data is being collected, what exactly is being collected, and what the data is being collected for. Long contractual legalese is no longer acceptable, and the data collection plan must be laid out in plain easy-to-understand language.

Remember, this applies to all customers and all employees that live or work in the EU.

In terms of location data, you are first required to inform the data subject (employee or customer) that you intend to collect the data and why. They must then consent — in writing — to have their data collected. Automatic or assumed consent is also no longer acceptable. No pre-checked boxes or inclusive consent hidden inside other terms. Your EU data subjects must overtly agree to have their locations tracked for the purposes yo indicate.

Right to See Personal Identifying Data

If your data subject requests a copy of any identifying data, you must deliver that copy within 30 days of the request. This ensures that EU citizens are able to remain informed of what data is out there about them and just how revealing it might be.

Right to Deletion

If a data subject of yours requests that you delete any past identifying information from your servers, you must do this. GDPR has made it illegal in the EU to store personal and identifying data about someone against their will.

GDPR compliance graphic

Justified Business Use for Collecting Location Data

Why you collect and how you use personal location data also matters to the GDPR. Not only must you share your purposes for data collection with the data subjects to receive consent, but you must also have a good reason for collecting the data. Keeping identifying data for data’s sake is not something the GDPR supports. If you want to research the data, this purpose must be clearly enumerated.

There are many reasons for a company to collect location data and many ways to do it. But whatever you choose, your methods must clearly match the reasons given. If, for example, your stated reason is to count return customers using their phone locators, then you should not be tracking customer phone locations outside of your store venues. If your stated purpose is to track delivery trucks when they’re out in the field, you should not then also be tracking employee devices when they clock out and go home.

How to Tackle Locator Data and GDPR Compliance

Chances are, you’re reading this article because your company has plans to track locator data (or is already doing so). You want to remain in compliance with GDPR for all EU customers or employees. That’s great news, but the question is how to do this right.

The key ingredients to a GDPR-compliant locator plan are:

  • A Clear Plan of Use
    • What data you’re collecting and why you’re collecting it
  • An Informed Consent Form
    • Informing subjects and attaining consent to collect specified locator data
    • Usually accomplished with a new Privacy Policy
  • Careful Data Curation
    • Know where your data is and how it’s stored
    • Be able to provide copies when asked
    • Be able to delete records when asked

MetaLocator GDPR Compliance

For readers considering working with MetaLocator, rest assured that we work hard to stay in compliance with GDPR at all times. Whether or not the data subject is located in the EU currently. Check out our GDPR resources on the website to see how we’ve handled transparency, compliance, and provided easy routes for web visitors to exercise their rights under GDPR.

For more information on how to effectively implement locator data and the MetaLocator tool into your business, contact us today!