Managing International Personal Data Transfers in AI-Powered Route Optimisation Software for Logistics

What is the need for Route Optimisation Software (ROS)?

The ever-growing demand for next or same day delivery of goods has increased the pressure on companies involved in the carriage of goods by road (Logistics Provider(s)) to increase the speed at which goods are carried from point to point and to the end user. As a result of this, Logistics Providers are required to seek innovative solutions to increase their efficiency.

One of the innovative solutions Logistics Providers have looked to leverage to increase their efficiency is artificial intelligence (AI) powered ROS to reduce the time taken to deliver the goods by road.

In the context of a globalised logistics industry, ROS frequently relies on the transfer of personal data from one jurisdiction to another to generate the optimal delivery routes for the drivers of the Logistics Provider.

Against this backdrop, this article explores the rules surrounding the movement of that data in the context of ROS and the steps Logistics Providers should take to comply with UK General Data Protection Regulation (UK GDPR).

What is ROS?

Unlike traditional route optimisation methods (which relied on manual calculations and pre-determined algorithms), AI driven ROS can use sophisticated algorithms to analyse large amounts of data which includes real-time traffic updates, weather conditions,  historical route information and may also include personal data (including driver details and customer details, if goods are being delivered to the customer directly) to determine the most efficient route for the carriage of goods.

What is the general rule on international transfer of personal data?

Under UK GDPR where there is a transfer of personal data outside of the UK the general rule is that such transfers of personal data are restricted (Restricted Transfer(s)), unless certain criteria have been satisfied. Where the ROS relies on Restricted Transfers to function effectively, it is important for Logistics Providers to be aware of the rules surrounding Restricted Transfers.

It should be noted only the controller or processor who initiates and agrees to the transfer (the Data Exporter) is responsible for complying with the UK GDPR rules on Restricted Transfers. So, if the Logistics Provider agrees to make a Restricted Transfer, then it is the Logistics Provider who will need to comply with the rules relating to a Restricted Transfer. Having said that, the initial controller must always be aware of and maintain visibility over any Restricted Transfer.

When may there be an international transfer of personal data?

When using ROS, Logistics Providers often need to transfer personal data internationally. The following section outlines scenarios where a Restricted Transfer in connection with ROS (on the assumption the Logistics Provider is the party making the Restricted Transfer) may occur. The two most common scenarios where a Restricted Transfer is made are:

Global operations. A Logistics Provider may have offices based across multiple jurisdictions. The personal data which is inputted into the ROS may be transferred across different offices in several jurisdictions to manage the international delivery of goods.  For example, a member of the Logistics Provider group which is the controller may make a Restricted Transfer to another member in its group based in another jurisdiction who then inputs the data into the ROS.

Cloud based software. ROS often relies on cloud-based servers located in various jurisdictions. When a Logistics Provider inputs personal data, such as driver information or other relevant details, into the ROS, this data may be transferred from the UK to cloud servers outside the UK.

When is a Restricted Transfer permitted?

The Information Commissioner’s Office (ICO) specifies several exceptions which a party may rely on to make a Restricted Transfer. The focus of this section is to consider the exceptions which a Logistics Provider is most likely to rely on, they are as follows:  

Adequacy decisions. An adequacy decision is where the British Government deems that a country or territory has adequate protections in place to protect personal data.  This means personal data may flow freely between the UK and these ‘adequate’ countries. The countries which are deemed to have adequate protections includes members of the EEA and the United States, Japan and Canada have all received partial adequacy decisions.

Standard data protection clauses. A Logistics Provider may make a Restricted Transfer if it has entered a contract incorporating standard data protection clauses recognised or issued in accordance with UK GDPR with the ROS provider. Standard data protection clauses impose contractual obligations on the sender and the receiver, and grant rights to people whose personal data is transferred.

Certification. A Logistics Provider may make a Restricted Transfer if the receiver has a certification, under a scheme approved by the ICO. The certification scheme must include appropriate safeguards to protect the rights of people whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.

Binding Corporate Rules (BCRs). Logistics Providers could adopt BCRs, which are internal policies that are approved by the ICO that allow for the transfer of personal data within the same group across different jurisdictions.

Practical steps to ensure compliance with UK GDPR

Data mapping. Logistics Provider should identify the flows of data to determine whether the use of the ROS will fall within the definition of a Restricted Transfer.

Due diligence. Undertake thorough due diligence on the ROS provider to determine whether such provider complies with UK GDPR requirements when processing the personal data that is inputted into the ROS.

Data Protection Impact Assessments (DPIAs). Perform DPIAs for processing activities that involve high risks to individuals’ rights and freedoms. Identify and mitigate any risks associated with international data transfers.

Data Processing Agreements. When engaging an ROS provider, ensure that within any such agreements there are data protection clauses which satisfy the ICO’s requirements as they relate to Restricted Transfers.

Security Measures. Implement appropriate technical and organisational measures to protect personal data during transfer, such as encryption and access controls

Training and Awareness. Logistics Providers should ensure that those responsible for transferring personal data internationally are aware of the rules relating to Restricted Transfers. This will help mitigate of potential data breaches and therefore avoid fines being incurred.

The Birketts View

In conclusion, it is crucial for Logistics Providers to ensure that their use of such technology aligns with UK GDPR requirements. Logistics Providers should clearly map out the flow of personal data to establish whether such data falls within the definition of a Restricted Transfer and if so, the Logistics Provider should take proactive measures to comply with UK GDPR. By doing this, Logistics Providers can harness the power of ROS to enhance efficiency and deliver exceptional service in a globalised market.