Jenai Nissim legal director, data protection and privacy, TLT
There is no ‘one size fits all’ solution to General Data Protection Regulation (GDPR) compliance. Instead, dealers need to thoroughly review the personal data they possess and understand how it is collected and used.
These are essential first steps in avoiding a GDPR breach that could amount to a maximum fine of €20 million or up to 4% of annual global turnover:
Outlining the key steps to ensure GDPR compliance, Nissim said once an employee had been assigned as a project leader (they could be someone in IT accustomed to handling data or someone from a compliance background), a data review was the first goal in understanding your risk exposure.
The most sensitive personal data a dealer will be holding is not customers’ financial information, but that of its employees.
Nissim said there was widespread confusion about what constituted sensitive personal data: “Financial information allowing you to process card payments is personal, but not to the same degree as an employee’s health information.”
The second question to answer is who collected the personal data and why, as it will come from a number of sources – customers, manufacturers and finance companies, for example – and what you are doing with it.
“It doesn’t matter what you’re doing with the data. You need to tell individuals that you are processing personal data and how it is being processed.”
Personal devices used for work
If staff use tablets, laptops or mobile phones for work, an employer must tell them if they are being monitored and to what extent. Not doing so will violate their data protection and human rights. Nissim said employees have left organisations and asked for messages sent on work phones about them by fellow staff because of a grievance issue.
The next step is to think about the legal basis for processing data. “When you process data, you cannot just do anything with it,” she said.
“The GDPR sets out six requirements for processing personal data and another 10 for sensitive data. So ensure that what you’re doing meets these requirements.”
Do not delete your data where you don’t have consent to contact individuals. Consent is one way to permit compliant contact, but previously selling products and services to individuals and telling them in terms and conditions that you will use their data for marketing purposes provides an exemption called a soft opt-in, said Nissim. However, dealers should get legal advice on this before they proceed.
Sharing personal data
Sharing data across a dealer group between separate legal entities and dealerships, as well as insurance companies, manufacturers, solicitors and IT providers is classed as passing information between third parties. You must tell individuals their data will be passed between companies in your group as well as with third parties.
Contracts between the third parties – and this includes manufacturer franchise agreements – will have to be updated to acknowledge GDPR.
Data subject rights
One of the biggest changes in individuals’ rights and the most difficult for dealers to deal with is data subject rights and a data access request, where an individual can ask for a copy of all personal data processed by the business.
An employee can ask for it without giving a reason and the business would have to search IT systems, including email. A business has one month to comply once the request has been made. While there are exemptions, including one of disproportionate effort, saying you don’t have the resource or time is not going to be a sufficient objection in the eyes of the Information Commissioner’s Office (ICO).
Right to data portability
The second of numerous rights under GDPR is portability, the freedom for an individual to have their data passed on to a competitor. A customer could ask part-way through a financial agreement for their data to be passed from a dealer’s finance provider directly to a high street bank. Consider how you would extract that data, advised Nissim.
Right to erase data
This is not an absolute right for a consumer. A dealer may need to retain certain information under Financial Conduct Authority regulations, for example a credit eligibility assessment.
Personal data breaches
The ICO and FCA should be informed of breaches. It is important to be able to identify a breach, log it and know how to respond. This can include the loss of a mobile phone or laptop that is not encrypted and sending an email address.
If you are sharing data with a third party and it suffers a breach, it is your responsibility, said Nissim: “You can’t outsource compliance.”
Madeleine Ansbro, head of compliance, Marshall Motor Group
GDPR compliance should not be the responsibility of one person in a dealer group. Delegation and the ‘chunking down’ of information are important steps in ensuring total business compliance, said Ansbro, as she explained how the AM100 group had been preparing for the new data rules since June.
It set up a working party and each member was encouraged to gather as much information on GDPR as possible, with the ICO website (ico.org.uk) being a primary source.
“Compliance affects the entire business, so delegation is critical, involving HR, IT, operations, marketing, anyone that can support you and make a difference,” she said. Involving the entire business also ensures compliance is kept on the management board’s agenda.
“Then chunk it down as the work involved can seem overwhelming. Break the work down into segments and, for example, what should be achieved by the end of the year.”
The exchange of ideas between others in the industry will also help.
Marshall’s practical steps to compliance include:
■ a data-mapping exercise
■ contract review
■ ensuring processes to obtain, record and retrieve consent
■ a privacy notice (“one of GDPR’s cornerstone documents”) specific to the organisation that is easy to read and written with legal advice
■ data security measures
■ procedures to allow for subject access request, data erasure and portability.
“Before the May 25 GDPR implementation date, carry out test procedures. Make your mistakes before May. Don’t wait to find you have problems when a customer asks for a data access or erasure request,” said Ansbro.
Dan Moore, director of IT consultancy, PKF Cooper Parry
Regular training and awareness-building should combine with IT measures to ensure the threats from hackers are countered and GDPR compliance is guaranteed.
Moore said IT measures such as penetration testing (an authorised simulated attack on a computer system looking for security flaws) and two-factor authentication (asking for two pieces of evidence before giving a user access), should go hand-in-hand with training and awareness. Testing of the rules and risks are essential, with refreshers every six months.
“Does your finance team know what to look out for? Have you put processes in place to stop staff sending bank transfer details in reply to an email that has come out of the blue that might look like it has come from a senior manager in the business, but is actually a phishing email from someone looking to exploit weaknesses in your system to do you financial and reputational harm?”
A data audit and the creation of an asset register was essential to understanding if what you hold on your network is secure and the way it’s being used is compliant.
Moore cited Wetherspoons and its decision in July following a data breach to delete contact details for almost 700,000 customers as an extreme example of a data audit.
“Wetherspoons knew it didn’t have consent to contact all these people. The delete decision was made for two reasons. Firstly, if the company no longer had the data it couldn’t be used by accident. And it wasn’t information it needed anymore, having made the decision to use social media as a means of reaching out to customers,” said Moore.
“Hackers will try the locks on your doors in their attempts to cause you financial and reputational damage. The Information Commissioners Office will be looking for evidence of due diligence and that you tried everything to avoid data misuse,” he said.