The EU General Protection Regulation (GDPR) comes into law in the UK on 25th May 2018. The new data rules will have a huge impact on how the automotive retail industry handles and protects customer and lead information as Paul Smith from Traka Automotive has discovered.
The new rules may be broadly categorised into the five areas of: Data security, Data subject consent, Data anonymisation, Breach notification, and Trans-border data transfers. In terms of data security, the GDPR places and increased responsibility on dealers to take reasonable and proportionate cyber security measures to protect personal data. Specifically this implies having ‘Pseudonymisation’ and encryption of personal data, providing for ongoing confidentiality, retaining the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and having a process for regularly testing the security of the processing.
Also specified in the GDPR is the requirement to inform the Information Commissioner’s Office of a data security breach within 72-hours of it happening. You are required to have appointed a dedicated ‘data controller’ and ‘mapped your data’ so you know where your customer’s data goes, why and how it is secured at any third-party location during that specific process (to secure credit, for marketing purposes etc).
Paul Smith from Traka Automotive found another key requirement of GDPR is data subject consent. For this purpose, data privacy notices (DPN) which must be shown to and agreed by all people whose data you hold. Your DPNs need to explain who is controlling and processing the customers’ personal data, and how consumers can contact you to ask any questions about the data you hold on them. It also needs to explain: What type of data is being processed, for what purpose is it being processed (it needs to be legitimate), how long this data will be retained, who data will be transferred to and, if not in the EU, the legal mechanism for retaining control of the data. There must also be a mechanism in place for the customer must be able to withdraw consent as easily as they give it.
Consumers are specifically granted the ‘right to be forgotten’ under the legislation, which demands that the data controller and/or processor erase that customers details completely on request. The ‘right to access’ all personal data you hold on them has been strengthened further as has the ‘right to rectification’ when you’ve collected incorrect data for your customers.
If a dealer is going to a third party to obtain details about the customer, it must explicitly tell the customer this is happening and secure consent to do this. A log of any personal data transfers either from or to a third party should also be taken. FCA policy guidelines indicate calls relating to the sale of regulated financial products (like GAP insurance and PCPs) need to be stored for three years!
With so many changes demanded by the new rules its good to know that The National Franchised Dealers Association (NFDA) is working on formalising this guidance and spearheading training packages.
Paul Smith from Traka Automotive commented, “Dealers should start now by assessing how personal data is obtained, used and shared across and beyond their organisation. It makes sense to pick up the phone to your DMS and/or CMS provider to check whether their systems are GDPR-ready – lots aren’t! Once armed with this knowledge, you need to work through GDPR requirements one by one to ensure readiness.”
“Dealerships should remember that they are in the front-line – interfacing with customers and prospects, taking their details and responding to their requests. Although this does mean that they carry a significant burden to collect, store and eventually delete that data in compliance with GDPR; it also presents a barrier to manufacturers trying to gain direct access to customer details through their websites, smart apps and other digital marketing initiatives.”
So much so, that Martin Hickley, Director of Data Protection at GO DPO EU Compliance Limited, reckons there: “…will be significant barriers to vehicle manufacturers obtaining (the) personal data of drivers, to such a degree that I believe direct marketing from the vehicle manufacturer will decline considerably after May 2018.”