GDPR is the biggest opportunity in almost three decades for dealers to review how they source, value and use data across their business.
Just as dealers embraced FCA compliance principles across both regulated and non-regulated products, the actions they must undertake under the new data regulation could have a broader effect on their data procedures, helping to pull the laggards towards 21st-century retailing.
The GDPR applies only to personal data, which relates to a living person. This means dealers can continue to hold and process, without the constraints of regulation, the current and historic information relating purely to their vehicles, such as stocking mix, pricing and days taken to sell, plus recalls and repairs completed, in systems where this data is not connected to an individual.
So sales managers should feel little effect on their ability to aggregate data, identifying what sells best or what pricing policy strikes the right balance between turning stock and optimising profits.
Nevertheless, data experts agree that the GDPR is a regulatory change with which all business must comply.
“The GDPR requires that any information or communication regarding the processing of personal data must be easily accessible, easy to understand and use clear and plain language. You can no longer hide behind privacy notices written in legal speak, in small print, posted on some obscure part of your website – though really you never could,” said Ian Inman, head of privacy and data protection at Cox Automotive UK.
Here are some key compliance tips:
Map your data
Jenai Nissim, legal director, data protection and privacy at UK law firm TLT, has been working with members of the National Franchised Dealers Association (NFDA) on the GDPR and will present an Insight Theatre on the subject at the Automotive Management Live event on November 9.
She said all dealers should think about the data they are processing, why they are processing it and with whom it is being shared.
Once they have “mapped” their use of personal data, they should also consider what internal data protection processes and procedures they have that relate to data protection, and identify any key gaps. Nissim recommended ‘RAG rating’ those gaps as red, amber or green according to risks, and tackling them in that order.
“This is an invaluable exercise, because it will really give you an idea of what you can do going forward and where your gaps are,” she said.
Inman agreed: “If you had to go before the Information Commissioner or a court and justify your actions in terms of compliance with the GDPR, could you do it? Would you have all the documentation, the policies and contracts to show that you complied? If the answer is no, then you need to identify where the gaps are and fill them.”
Dealers must not hoard data, said Martin Hickley, director of data governance, protection and privacy specialist at GO DPO. “Old contacts collected 10 years ago, but who never reply to emails, should be securely erased,” he said.
Under the GDPR, organisations must only retain personal data for as long as it relates to the purpose for which they obtained it. In addition, individuals have the right to have personal data erased in some circumstances.
Inman recommends a ‘privacy by design’ approach, whereby a dealership’s systems enable them to delete information when they no longer need it, or when they are otherwise required to do so.
“It should give you sufficiently granular control over the data on your system that you are able to delete only the personal data you no longer need. If you cannot delete a person’s email address without erasing their whole customer record, you are not demonstrating privacy by design,” he said.
Create a Data Privacy Notice
Under the GDPR, you have to inform a data subject about all their personal data you process, including why, how and where you will process it, the names of any organisations you need to share it with, and how long you will keep it, plus their rights and freedoms under the GDPR.
Hickley suggests dealers could get customers to consent to their personal data being processed, as per the Data Privacy Notice, for an easy win.
However, Nissim warns about relying on consent, except as a last resort. “If consent is the only way you can process that personal data, and the individual withdraws their consent, you must not process it or you’ll be non-compliant,” she said.
Remember your employees
Train all staff in the GDPR as soon as possible, because if the Information Commissioner’s Office (ICO) visits, the first thing it will check is whether their knowledge is up to date, said Hickley.
Nissim said employers should not rely on consent alone to process employee data. They can lawfully process personal data where it is necessary for the performance of a contract with the employee, but need to inform the employee why they need to.
She cited the example of tracking devices fitted to company vehicles or demonstrators, which employees may not consent to, but which help the business secure its assets. In such cases, however, organisations must have controls to ensure personal freedoms are not infringed, such as not monitoring usage in their private life.
Consider your third parties
“As a dealership, where you collect personal data, you have obligations to be compliant with data protection legislation. You cannot outsource compliance,” Nissim said. If something goes wrong, and the dealership was using a third party to process its data – including storing it, viewing it, or even destroying it – the liability is with the dealer.
List the third parties with access to your data – who they are, what data they have, and what they are able to do with it. Hickley said a personal data register, keeping record of data holdings and processing activities, is a formal requirement under the GDPR.
Nissim said: “That record is open to inspection by the regulator at any time, and if you don’t have it ready, it’s not something you can pull together at two days’ notice. They will scrutinise that register and ask questions about it.”
She added that dealers must look at third-party contracts, including dealer standards, to ensure they are compliant with the GDPR’s specific wording, for example that the third party only processes data on documented instructions from the dealer controlling the data, and stipulating that appropriate security measures must be in place.
Hickley warned that there is no escape from liability if it goes wrong and offenders may get a stiffer penalty for having no contract. Nissim recommends categorising third-party contracts into different data-sharing purposes, to understand the different obligations under GDPR.
Dealers using data brought in from third parties, such as marketing data from manufacturers or suppliers, must also get them to show they have gathered it compliantly, she said. Dealers should test the data, she added, because the regulator will want to see that they have not taken its compliance at face value.
Martin Hickley’s five myths about the GDPR
Myth 1:The ICO will give you extra time to get your house in order
No, they won’t. They have repeatedly said they will fully enforce the GDPR from May 25, 2018.
Myth 2: Huge fines are the real teeth
While the fines (up to £17.5m or 4% of turnover) sound bad, it’s not the most potent sanction. The ICO will be able to issue temporary or permanent “Stop Orders” to cease personal data processing. That would be like hanging a “closed for the next month” sign outside.
Myth 3: The authorities won’t find out about non-compliance
Yes they will, for example your customers will report you when you don’t fulfil a Data Subject Access Request (SAR). The ICO gets more than eight thousand complaints a year on this subject.
Myth 4: You need to be 100% compliant by May 24, 2018
No, you don’t need to be 100% complaint with the GDPR, nobody will be. You have to show you are on a journey to being compliant.
Myth 5: The company owns the personal data
No, your company does not own the data and sometimes you will have to erase it. You have the data on trust, to supply a service or product.