AM Online

Get third-party data transfer right under GDPR

GDPR data transfer

Data is the lifeblood of the modern car dealership. It comes from and flows to manufacturer partners via a multitude of channels, such as dealer management systems (DMS), customer relationship management (CRM) systems and even emails. Come May 25, all of that data and how it is transferred will have to comply with the General Data Protection Regulation (GDPR).   

However, in many cases, the dealer may also share that data with third parties, including finance houses, outsourced call centres and email marketing specialists and, under the GDPR, the customer will have to give clear consent for the dealer to pass it on.

“We are seeing a complete transformation in the way that data transfer works,” said Dom Threlfall, the managing director of Pebley Beach.

“As far as the customer is concerned, the dealer is the manufacturer, so if they say they don’t want any marketing from us, what they actually mean is they don’t want any correspondence from the manufacturer, and we need to make sure their wishes are respected.

“We first mentioned this to our manufacturer partners in 2015 and no one thought much about it at the time, but now a lot of people are frantically scrambling to comply. As a dealer, in 2016, we wanted to get ahead of the curve, so we started getting exclusive permissions from customers to use their data, but there are still many companies out there who are trying to get to grips with the whole issue.”

Threlfall added that in the first instance dealers need to ensure customer consent for the use of all personal data held on DMS and other systems, so it’s clear who can be marketed to. He believes that will also be key to getting manufacturers to become fully compliant with the GDPR on data transfer.

Companies will need to train all their staff on how to deal with personal data transfer. They may also have to change or update their current policies and procedures for handling data to conform with GDPR.

Martin Hickley, a GDPR and data compliance consultant, said that under the GDPR the dealer needs to explain up-front to the customer what their data is going to be used for and how it will be processed. The most common way to provide this information is in a privacy notice.

He added that because the dealer and manufacturer are jointly liable for the data as ‘controller’ and ‘processor’, the risk greatly increases for manufacturers who supplied the information initially if the dealer misuses that data.

“Dealers and manufacturers alike will have to demonstrate compliance with the GDPR and that means recording the data privacy notice given,” he said.

“If consent is given, they will also have to show how that consent was captured in a compliant manner.”

Chris Poulsom, CRM director of THREE60 CRM, said dealers and manufacturers need to work together to determine the contents of their data privacy notice to meet the requirements of the GDPR. He said it is more important for dealers to focus initially on the management of customer permissions rather than how the different data flows from one party to another once it’s on the system.

“For example, a customer may call the dealer and request not to be contacted or marketed to, but their data has already been passed on to the manufacturer,” he said. “So, it really comes down to how customer permissions are managed from the outset between the dealer and manufacturer.”

Poulsom added that the current legislation, the Data Protection Act 1998, requires personal data to be transferred securely between the different parties, and this will continue under the GDPR. This could mean an end to the use of USB sticks or sending and receiving data by email, he said.

“A good starting point is to produce a data map to see where and how data is being transferred, including all third parties involved,” he said. “Then you need to ensure those data transfer methods are secure and you have a process for updating all of the systems and parties of customer permissions.”

While Poulsom said he hadn’t heard anything yet about the need to change franchise contracts to meet GDPR requirements, he added that he would not be surprised if that changed further down the line. In a recent AM-online poll, more than a quarter of respondents said manufacturer partners had changed the terms of franchising agreements in regards to data collection and processing in light of the GDPR.   

Madeleine Ansbro, head of compliance at Marshall Motor Group, said that rather than directly affecting personal data transfer, the GDPR would bring a greater awareness around data security. She said it has also made companies more focused on their own data collection methods and why they are collecting it.

“GDPR has made companies realise the importance of protecting data, particularly when it comes to consent for using it for marketing purposes or passing it on to a third party,” she said. “So that means greater transparency for the customer, which can only be a good thing.”

Ansbro added that some dealers will need to amend or add clauses to their present franchise contracts to reflect GDPR. This needs to both cover their liabilities and state their purpose for using the data, so they are able to take appropriate action if it is misused, she said.

Simon Upton, group commercial director at GForces, said the GDPR had also brought a greater focus on the link between dealers, manufacturers and third parties. He believes that contracts will need to be changed in the future to ensure third parties have specific written instructions on how to process the data.

“Whilst GDPR does not necessarily change what third parties do for dealers and manufacturers, new contracts and data-processing agreements will clear up any grey areas,” he said. “This will also ensure the entire information chain is clear on what data they can collect, store or transit, whether as the data controller or data processor.”

There is also a potential issue of personal data being passed from one customer to the next. Dealers and remarketing companies need to ensure that all of the previous owner’s data is removed before a used vehicle is sold, including phone and sat-nav records.

Sam Watkins, deputy chair of The Vehicle Remarketing Association, said: “Anyone who has bought a used car in the last few years will know data such as sat-nav and phone records from the previous owner are often not removed when a vehicle is sold. It’s probably a good idea in general that this data should be deleted – it provides a very good indication of a person’s movements, work and social activities – but GDPR makes it a legal responsibility.

“At some point in the supply chain, it has to be deleted. The question is – who should be responsible for doing this?”

Louise Wallis, head of business at the National Franchised Dealers Association (NFDA), added: “GDPR will drive change regarding consent for data use and security. It serves as a timely reminder to members that they need to get the appropriate procedures in place when dealing with personal data of all forms.” ALEX WRIGHT

If you are not a registered user your comment will go to AM for approval before publishing. To avoid this requirement please register or login.

Login to comment


No comments have been made yet.