As a UK business using third-party applications, you – as the data controller, remain ultimately liable for ensuring the security of personal data, even when processed by a third-party data processor, and must demonstrate compliance with UK GDPR. As a self-employed ADI, this is you and potentially your school/franchise if you are a member.

Acronym Warning!

While we try to minimise the use of TLAs (Three Letter Acronyms), the tech world are even bigger fans than ADIs with their MSPSGL, LADA, FISH and of course LTD.

Let’s take a minute to cover them:

ICO – This stands for “Information Commissioner’s Office”, it is the independent regulatory body in the UK responsible for upholding data protection laws, including GDPR, meaning it oversees how organisations handle personal data and can take enforcement action against those who breach GDPR regulations. https://ico.org.uk

GDPR – We have all heard of it often as an excuse or get-out clause, but what does it mean?  The General Data Protection Regulations. A European Union law that protects people’s personal data. It aims to give people control over their data and restrict how companies can use it. As a business that holds personal data you are a ‘data handler’ and must act in accordance with these regulations. https://gdpr.eu/what-is-gdpr/

What does this mean to you?

It means you need to do your homework before clicking accept. Definitely read the small print we all too often ignore and do a check on the legitimacy of the company. Just because they look professional or are recommended does not mean your data is secure.

When Instructors hear about their data being secure they often default to ‘Will it be there tomorrow’ not ‘Will it be stolen, sold or used without permission’’. Both of these are important points and need to be considered.

You may have had pupils affected by the questionable practices of some cancellation checkers. One of the DVSAs significant concerns is the misuse of candidates’ data.The following statement from the DVSA encourages ADIs to consider who they and their pupils share data with:

“GOV.UK is the only official way to book a practical driving test. DVSA does not run, approve or endorse any cancellation finder apps or services. Using these means you risk losing money, test slots or personal data – such as driving licence numbers, which could be used to steal someone’s identity.”

This year, a number of new apps arrived on the market in what is expected to be a continually growing number of tech resources targeting the industry. Sometimes identifying who is behind these products is as easy as checking their Companies House listing and following the breadcrumbs. If they are not upfront about who they are it is equally likely they are not going to be open and honest about what they are doing with the data they are given.

We asked some established industry providers are MyDriveTime, Total Drive and GoRoadie for their company attitude toward data security, some of which may be linked to in other articles.

Michael Carr from GoRoadie recognised the risks, saying “At GoRoadie, data security is our top priority. We are fully compliant with ICO and GDPR regulations, ensuring the highest standards of data protection at all times. Additionally, all passwords and sensitive information are encrypted to safeguard against potential breaches. We understand the concerns around data security in the driver training industry and are committed to keeping student and instructor information safe.”

Tom Wotton at Total Drive replied “Total Drive Software Ltd has a responsibility to driving schools, instructors, pupils and parents. Used by 20% of the industry, safeguarding data is paramount to the 7,000+ instructors who use the app. Effective data protection ensures that confidential customer information is kept secure from cyber threats and unauthorised access. Total Drive does not sell any data. Pupils also have the option to remove their own data themselves should they wish. 

Total Drive undertakes annual penetration testing by an independent company that covers cyber security, data protection and information security – last renewed in December 2024.”

And 

Dan Hill from MyDriveTime urged instructors take note, stating “Even before GDPR became big news, our data policy has always been based on one simple truth.  We own the software, and our customers own the data.

We have never, and would never sell data to a third party, because it doesn’t belong to us.  That would be theft or fraudulent appropriation. We never have, and never would promote our or anyone else’s services to our customer’s customer, without our customer’s permission, because that’s just rude.

It’s not just about the technicalities or data laws.  It’s about ethics, morality and decency, and we’ll continue to operate with those attributes embedded in our culture at MyDriveTime. Effective data security is complex, expensive and time-consuming.  Most consider it ‘boring’, so it’s not always at the top of a software company’s priority list (despite what they claim)…

My hope is that, as Chris says here, people verify what is being promised and get a feel for the company they’re trusting – beyond the marketing hype – before they make their decision.”

Is it just the app providers?

We should also hold our industry channels to account. At the DITC, while we try to do our best to verify sources and opinions, we welcome people raising any issues we may not be aware of with those that we promote or share information from. We can’t always get it right however hard we try! The same needs to be true with associations, trainers, franchises and other news channels across the sector. We spoke to Terry Cook, podcasting oligarch in the driver training sector, about the responsibility such news channels have to get it right:

“When covering sensitive matters, it’s crucial for news channels to take steps to ensure the information they provide is accurate. Clearly distinguishing between factual reporting and personal opinion is essential to maintain trust with the audience. 

Moreover, news outlets should be open to feedback, and any inaccuracies should be corrected with the same level of visibility as the original content.

At the Instructor podcast, we do not claim to be an expert in every area, which is why we invite the experts, leaders, and game changers to appear and provide it to you from the horses mouth.”

You can see a list of the range of expertise that Terry is referring to here on The Instructor Podcast. In the same way he cannot be an expert in all these areas, we (ADI business owners) cannot expect to be vastly educated on the niche areas we out source, which is why it is important to do due diligence on who you trust. Simple measures can be undertaken such as asking for ICO certificates, reading privacy and GDPR policies, making sure pupils sign written T&Cs with you own organisation to mitigate your own risks. Untrustworthy people can obviously appear trustworthy, but making it harder for them by educating yourself is an important step.

“That’s why I use pen and paper”

GDPR also applies to data held in this way and if you have your paperwork (diary, notebook, records) stolen you are required to take measures to protect this. That is difficult unless you write in code! On top of that, your pupils are tech-savvy and not engaging with them on their own terms may leave you at a disadvantage as technology continues to progress.

Are app providers evil?

No! Tech is an amazing resource in all elements of learning to drive and running your business. As a relatively small sector we are only just seeing the start of what will be possible over the next few years. The opportunities include:

Diary management

Pupil management

Financial tracking and accounting

Teaching tools and resources

Vehicle tracking

Instructor training and CPD

They also give us access to other sectors allowing information sharing and cross-pollination, giving us new opportunities and insights. We just need to check who we are trusting and if they have your best interests at heart. If you want further information on your GDPR requirements and risks visit the ICO or contact The DITC or your national association who should be able to provide further guidance. 

By Chris Bensted on behalf of The DITC

Related article: The True Cost of Free Apps by MyDriveTime