AM Online

GDPR: What have car dealers and manufacturers done to protect customer data?

GDPR case studies

Dealers have until May 25 to get ready for the new general data protection regulation (GDPR). 

GDPR will give the UK’s regulator, the Information Commissioner’s Office (ICO), the power to impose fines of up to €20 million (about

£17.5m) or 4% of a company’s global turnover for breaches of the rules. The current maximum fine is £500,000. 

The ICO can also bar a business from handling any customer data at all, which could put  some dealerships out of business.


Marshall Motor Group

Madeleine Ansbro, Marshall Motor GroupMadeleine Ansbro, head of compliance at Marshall Motors, joined the company in May this year and is specifically tackling areas such as FCA and GDPR compliance for the group.

She said: “We’re doing a lot of groundwork and we’re at the early stages. We formed an internal working party in July across HR, legal, compliance, IT, marketing and operations.

“GDPR is very wide-reaching and the tentacles reach into every area of the business.”

Ansbro’s first task was to bring awareness to directors and senior managers to give an overview of GDPR and how it would affect the business.

The next step was to start a data-mapping exercise. This looks at every area of the business and how data is being handled, where it is stored, who it is shared with and the security measures around that. 

She said: “Everything has to be assessed properly. Every single system we use has to have a thorough analysis.

“We are still working on that because we are a large business and it’s quite an intensive process, but it’s a crucial first step.”

Ansbro said one of the biggest challenges around obtaining consent was making sure systems are able to evidence that consent. Marshall is still working on that in partnership with its suppliers.

She said: “We have to make sure consent is evidenced to the satisfaction of the regulator and how we do that across each department may vary. It’s not a one-size-fits-all solution.”

Ansbro said suppliers and manufacturers are at differing stages of preparations for GDPR. Marshall is looking at all supplier contracts to make sure there are clauses that cover GDPR.

Ansbro said: “This will be used to specifically state how we need any data that is being passed on to be treated and the consequences of not adhering to GDPR regulations.”

Ansbro has taken on the position of data protection officer (DPO).

“We want to make sure we have a robust stance on GDPR and I think having a DPO sends a positive message about how the business views its responsibilities.

“Having a DPO gives the business a central point of contact if anyone has any issues or needs any advice on how to proceed.”

Training for staff is still being finalised, but Marshall is likely to put together an e-learning course for all employees. Ansbro has also created a compliance newsletter that goes out internally to update the business. The first of these went out in September.

Ansbro said: “It’s important that training is job-specific for each role and offers practical advice about what you can and cannot do. I want people to feel confident about GDPR and how this is all going to work.”


Pebley Beach

Dom Threlfall, managing director, Pebley BeachDom Threlfall, managing director at two-site group Pebley Beach, started work on GDPR compliance in October 2016, prompted by an article in AM.

He also attended an NFDA seminar. Threlfall said GDPR could leave those unprepared for the changes with a customer database that is essentially valueless.

He said: “Some dealers have been getting ahead of this, but I’m sure there will be some that will carry on as usual and then react when someone is made an example of next year.”

Pebley Beach is speaking to customers as they come in for a service to explain about seeking explicit permissions to contact them.

He said: “Typically, you would want to see all of your customers through a 12-18 month period.

“We’re getting permission on the job card they sign in the aftersales department.”

Threlfall nominated himself to be Pebley Beach’s data officer. Larger dealer groups are likely to have a dedicated data controller.

Both Pebley Beach’s franchises, Hyundai and Suzuki, have GDPR working groups, which have been communicating what they are doing on compliance.

The company’s dealership management system provider has already updated its systems to be GDPR-compliant and Threlfall said the company asked its data host provider to make sure everything is held in the UK.

Threlfall said: “In some cases, it means that instead of four lines explaining about data protection, it’s now gone to eight lines.

“Ironically, the more detailed and complicated it becomes, the less likely it is a customer is going to read it. We have got everything checked by our solicitor, who luckily is also a data protection specialist, to make sure we are compliant.”

In Threlfall’s opinion, as MOTs are essential, reminding a customer that one is due should fall outside the GDPR’s requirement for specific consent. He said: “We have been getting ahead of this, so our customers aren’t left in a position where they’re not getting reminders for MOTs. If we didn’t send out reminders, we would have thousands of unhappy customers that rely on us to remind them.”


Hendy Group

Mark Busby, Hendy Group commercial directorHendy Group attended the NFDA’s GDPR seminar and has been working on a “detailed action plan” for the past six months. The company has a working group with 13 members and has been working on a ‘gap analysis’.

Mark Busby, Hendy Group commercial director, said: “It’s been a significant bit of work and we’re hoping to be in a fully compliant position before the end of this year. That will give us a few months to test what we’ve done and make any tweaks that we need to.”

Some of the preparations include revisiting the businesses’ privacy statements and creating forms at the point of sale in the showroom where customers can opt in.

He said: “The hardest part is going back to people that are already in your database and then seeking permission there.

“We have an internal compliance manager that is working on making sure everything we’re doing is in line with the legislation and we are also checking that with an external provider we have on retainer. 

“We’re taking the approach that every time we speak to a customer, we’re re-establishing consent at that point ahead of the May deadline.”

Once consent is given, it is recorded in Hendy’s DMS so teams know whether a customer has given consent to be contacted and the question isn’t asked again and again.

He said: “There has to be a positive reason to give consent, so there has to be a focus on what’s in it for the customer.”

Busby said the dealer group is ahead of some of its suppliers in terms of being GDPR-compliant, but he is confident they will be ready before May.

He said: “It’s a process of sitting down and going through an audit of our relationship with suppliers in terms of what they’re doing with the data. Where are their servers? Things like that.”

Each of Hendy’s staff members will go through a two-hour workshop on GDPR and every new member will have GDPR training as part of their induction. There will also be an e-learning module each staff member throughout the group will take each year.

Busby said: “We’re keeping a close eye on the legislation in the run-up to May 2018 as it’s not all finalised and nailed down, so it’s important we can be fluid with what we are planning so we can adjust if we need to.”



Mazda is currently going through the process of reviewing its data capture processes and systems to make sure they are compliant with GDPR.

A spokesman for Mazda said: “We would only communicate to those that we either have consent for or have legitimate grounds to contact. 

“We would recommend that the dealer network also carry out the same process of reviewing their data capture processes to ensure compliance for May 25.”

Mazda is planning to issue specific guidance for its network before the end of this year.

The spokesman said some of its dealers are actively working with their DMS and CMS providers to help to make sure systems are compliant, but the main burden on dealers falls outside the functionality of systems.

He said: “According to Article 32, data processors must be able to evidence ‘appropriate technical and organisation measures to ensure a level of security appropriate to risk’. Therefore, as a minimum, DMS/CMS systems must provide functionality that can achieve this, but dealer attitudes to GDPR implementation, conduct and ongoing processes/working practice are far more important factors for retailers to consider in achieving overall compliance with GDPR.”

Mazda’s spokesman said the training of staff on GDPR ultimately falls with retailers, although the subject may be addressed with its guidance if it is raised as an issue of concern towards the end of this year.

He said: “We will complement our existing internal training programme on data protection to raise awareness of changes and will undertake impact assessments to review the risks for any new projects involving data.”



The ICO has already shown its teeth ahead of GDPR rule changes after it fined Honda Europe £13,000 in March this year.

An investigation found that between May 1, 2016, and August 22, 2016, Honda had sent 289,790 emails entitled“would you like to hear from Honda?” to clarify the recipients’ marketing preferences. The email was sent to those individuals on the database for whom no “opt in” or “opt out” information was held. Following receipt of the email, an individual made a complaint to the ICO. 

Honda believed the emails were not classed as marketing, but instead were customer service emails to help the company comply with data protection law. Honda explained that it had sent the email, not with the purpose of marketing, but as a service email, to ensure it was maintaining its compliance with the data protection principles relating to the retention of personal data and direct marketing.

However, the ICO said Honda couldn’t provide evidence that the customers had ever given consent to receive this type of email, which is a breach of Privacy and Electronic Communication Regulations (PECR).

A Honda spokesman told AM: “We are keenly aware of GDPR and the penalties for non-compliance.

“Honda is currently reviewing internal data protection policies and procedures. In addition, Honda will conduct a review of its agreements with third parties, including dealers, where such contractual relationships involve the processing of personal data.”

The manufacturer had already provided a detailed ‘briefing note’ to its dealer network, aimed at helping them to understand the key compliance requirements under GDPR and how the regulation may affect direct marketing to customers.

However, Honda has also advised its network that each dealer is ultimately responsible for its own compliance.

The spokesman said: “We recommended that each dealer seeks independent legal advice from a reputable law firm in order to fully understand the GDPR and how it may impact on their own businesses.”

Steve Eckersley, the ICO’s head of enforcement, said: “Honda Europe sent emails asking for consent to future marketing. In doing so, it broke the law. Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law.”

The ICO recognises that companies will be reviewing how they obtain customer consent for marketing to comply with the GDPR.

Eckersley said: “Businesses must understand they can’t break one law to get ready for another.”

He said any company unsure of the best way to prepare for the change in consent under GDPR should contact the ICO for advice.

To download the ICO’s guidance document for direct marketing compliance, visit:




If you are not a registered user your comment will go to AM for approval before publishing. To avoid this requirement please register or login.

Login to comment


No comments have been made yet.