100 days of GDPR

21 November 18

May 25th 2018 was the deadline for compliance for the General Data Protection Regulations and there was a detailed plan in place to get us to that point. One Hundred days on and the GDPR is now just part of everything we do in transport data collection and analysis. The Tracsis business depends on accurate data collection and rigorous processes to turn our raw data into valuable information for our clients.

Read on to find out our Top 5 Tick List for Clients

"100 days in and our clients are reaping the benefits of all our investment and hard work. GDPR has proven to be a driver for improvement in our business and our clients."

GDPR infographic.

Our projects have GDPR built in at every stage


  • For all our large contracts and framework contracts the tender process includes a formal assessment of data protection as part of the Tracsis prescribed bid process.

  • Specialist teams look at the risks and assesses the data protection requirements for each client and the end users.

  • We have trained and qualified staff and there is continual training to stay ahead of the market requirements.

  • Qualified data managers and good process can prevent any problems occurring but they can also spot issues with data as it happens. We know what good looks like and our people are trained to put things right when it’s wrong.


  • Since the implementation of GDPR our staff are trained in the systems and policies that ensure standards are met all the way through delivery of transport data projects.

  • It’s not unusual for our clients to request an audit of our processes and we now welcome this. It’s part of the change of culture in our company that has happened over a few years but that GDPR has formalised.

"In our opinion, the existing data management controls employed by Tracsis can provide substantial assurance regarding the effective and efficient achievement of the Client's objectives in relation to Data Protection." (“Substantial" being the highest possible Assurance Rating level)

Independent Auditors working on behalf of one of our national clients

Post Survey

  • Deleting data for those clients that request it is built into our systems.

  • If a client asks us to keep data we can offer fully costed options for use of our high security data servers. This is only carried out where there is a legitimate reason for data storage.

A big "Well Done" to our project teams and in particular to Kevin Smith, our Certified Data Protection Officer who has championed our Data Protection Policy and Training programmes and helped achieve our Cyber Essentials IT certification.

Paul Jackson

Director, Tracsis Traffic Data Ltd

Top 5 tick list for clients

We asked Kevin Smith, our Support Services Director with overall responsibility for data protection to give us his top 5 recommendations for clients when they are contracting for transport surveys.

1.   Decide who is the Data Controller* and who is the Data Processor**.
This is the vital first stage of all our projects. (we’ve provided a definition at the end of this article)

2.   Understand if personal data or sensitive personal data is being collected.
The Information Commissioners Office Website is a good reference point for you but your data collection partner should be able to advise you.

3.   Data Protection Officer.
Ensure that your data collection partner retains, or has access to a qualified Data Protection Officer.
Don’t be afraid to ask for some proof of any certifications, or to engage them during the tender process to better understand and plan for data protection issues.

4.   Audits.
Consider auditing your data collection partners analysis and storage arrangements. This will ensure regulatory compliance and value for money is being achieved.

5.   Don’t be afraid to opt for offshore data analysis.
This can be either within or outside of the European Economic Area (EEA), as long as you are confident that GDPR compliant contracted arrangements have been put in place. It is important to ask your data collection partner for evidence of their regulatory compliance in this area. Offshoring can bring significant cost reductions to clients, and as long as the correct contractual arrangements are in place there is no risk to the integrity of the supply chain or data subjects.

Tracsis Data Collection and Analysis

At Tracsis, data collection and the information generated after detailed analysis is the value we add to clients and end users. Even data that is still gathered using direct manual observation or face–to-face interviews uses a machine interface at some stage to convert the data into a digital format. Most of our work utilises sophisticated digital technology to collect data such as ANPR and Video Analytics with artificial intelligence (AI). We couple this with clever analytics software to produce detailed reports for transport providers, authorities or consultants.

Tracsis investment in these new technologies has resulted in the more accurate, cost effective and faster delivery of projects. Data can be collected for any mode of transport including cycling and walking, at any time of day and in any weather condition. Artificial Intelligence (AI) is enabling our machines to ‘learn on the job’ and improve their effectiveness and efficiency. All this means that data management is at the core of everything we do.

Running alongside our investment in collection techniques has been our GDPR compliant data management systems and expansion of our human resources, including new data protection senior management roles at our head office in Wetherby and the next largest office in London and staff training in all areas of the business. The process for delivering ongoing adherence to the regulations is continuous. For a transport data collection company this means embedding the regulations into our culture, not just our processes.

Organisations that are commissioning transport data collection projects should ensure that the data processor (the contractor) is carrying out a risk assessment and has privacy solutions in place before any data is collected. At Tracsis these processes and checks are embedded in our business.

The effectiveness of our transport networks relies on good planning based on analysis from accurate data about how people move around our roads, railways and pedestrian areas. The whole transport industry needs to understand the principles and how it effects what they do each day. Tracsis has made substantial investments in people training, processes and systems, but by engaging early we have probably saved considerable amounts of time and money for our business and our clients.

Contact for more information:

Nick Mather
Tracsis Traffic and Data Services Division



** A Data Processor is responsible for processing personal data on behalf of a controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

* A Data Controller determines the purposes and means of processing personal data.
If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
(Referenced from the ICO 2018)

You can go to the ICO for more information:
The ICO Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.