Dealers may face millions of pounds in fines if they fail to prepare for the EU General Data Protection Regulation (GDPR), the stricter data protection laws that will come into force next year.
GDPR will give the UK’s regulator, the Information Commissioner’s Office (ICO), the power to impose fines of up to €20 million (about £17.5 million) or 4% of a company’s global turnover. The current maximum fine is £500,000.
PKF Cooper Parry’s director of IT consultancy, Dan Moore, said: “The fact that a dealership may or may not do something that could lead to them or their global parent company facing a fine equivalent to 4% of global turnover has massive implications, which I don’t think many companies fully appreciate. And it’s not just dealerships and manufacturers who are not fully prepared.”
Dealerships have to address four key points, according to Moore:
- Consent to use data must be given freely
- Data must be collected, stored and processed in the right way
- Companies will need to be clear about how data will be used (‘marketing purposes’ will not be good enough, says Moore)
- Businesses must make clear how data will be protected and continually assessed.
Moore added: “As we understand it, current data is fine to use as long as the same rigorous procedures and checks when managing new data are applied. The difficulty for many dealerships will be proving data was acquired prior to GDPR’s introduction.
“There are some examples of companies thinking ahead, such as Wetherspoons , which recently deleted its entire database to start again, secure in the knowledge that its data from now on will be collated in line with GDPR.
“The larger fines are likely to be for data breaches or losses. If a company cannot show they have taken all reasonable measures to protect personal information, they could find themselves facing hefty fines. Recently, the ICO fined one company £60,000 for failing to take adequate steps to protect their data. Under GDPR, that could be up to £17.5m.
“Not all manufacturers have given full guidance to dealers yet. Many dealers have to meet certain data standards and must provide that information to the manufacturer with some incentives paid on delivery. It does not seem right to penalise a dealer financially for failing to provide information which they are legally bound not to disclose.
“In addition, dealers will need to make it clear to customers that they will be sharing their data with the manufacturer and they will have to explain how it will be utilised. The customer will have every right to opt out. Manufacturers will, therefore, need to be very clear with dealers about their intentions and requirements under GDPR.
“Consumers will also be able to request free access to information held on them. (It currently costs £10.) Mechanisms need to be established so those details can be easily identified. Consumers will also be able to request that their details be deleted, so transparent processes need to be securely in place to allow that.
“The vast scale of the implications of this legislation is not yet fully understood and more thought must be given to the way in which the many layers and multiple parties involved in purchasing a vehicle will manage that data under the new rules. We look forward to discussing these issues with delegates at AM Live in November.”
For more information, contact: Nicola Baxter Tel: +44 (0)1733 468289