Dealers and their IT suppliers must be ready for the introduction of EU General Data Protection Regulation (GDPR) in 2018 or face huge fines or even a ban on  using customer data, a data expert has warned.

As customer data-gathering and handling becomes an integral part of the sales and marketing processes, dealer groups of all sizes need to prepare for the legislation, which has “real teeth”, according to Martin Hickley, director of data governance, protection and privacy specialist Data Protection GO DPO.

GDPR rules will demand greater levels of cyber-security, the appointment of a dedicated ‘data controller’ and recording of dealer transactions.

It will govern the handling and security of customer data as well as customers’ rights to ‘opt out’ or simply be ‘forgotten’ as well as any exchange of customer data between dealers, finance houses and manufacturers.

How can UK car dealers ensure they are GDPR-compliant?

At the core of the new regulations is the data privacy notice (DPN) that must be shown to and consented to by consumers.

It must satisfy two conditions. The first deals with data collection and explains:

► Who is processing the personal data.

► How a customer can contact their representative to ask questions.

► What types of data are being processed.

► For what defined purposes data is being processed.

► How long the data will be retained.

► Who data will be transferred to, and, if not in the EU, the legal mechanism for this.

To satisfy the second condition – which lays out the legal basis for the processing of the data – the dealer must be able to:

►Present a single, completed contract.

► Demonstrate a legitimate reason for processing personal data.

► Show the customer has given their unambiguous or explicit consent.

► Explain the right of the data subject to complain to the supervisory authority.

Hickley said: “The customer must be able to object to processing and withdraw consent as easy as give it.

“A clear and complete DPN is key to handling personal data, but it also links to the legal basis for collecting personal data.  

“In effect, you say ‘by ticking this box, I consent to my personal data being processed as described in the DPN’.”

If a dealer is collecting data for anyone else, such as a finance house or manufacturer, it has to be made clear to the customer. A log of any data transfer must be recorded.

The legislation also incorporates seven rights and freedoms of the data subject:

1: The ‘right to access’ – a right of access to all their personal data, currently known as a subject access request (SAR).

2: The ‘right to rectification’ if data is wrong.

3: The ‘right to be forgotten’, or have their personal data erased.

4: The ‘right to restriction’ of processing upon request under certain conditions.

5: The ‘right to data portability’, i.e. get an electronic copy of all their personal data, or request it is transmitted from one data controller to another.

6: The ‘right to object to processing’.

7: The right not to be subject to automated decision making processing that produces legal effects or significant affects.

Should organisations fail to comply, the repercussions may include audits, public warnings and enforcement orders. For the most severe infractions, regulators can levy a fine amounting to 4% of a company’s turnover from the previous year.

These measures are what Elizabeth Denham, the UK Information Commissioner, calls the “stick in the cupboard”. However, according to Hickley: “These are not the real sanctions to worry about.

“The supervisory authority has the power to order a temporary or permanent cessation of data processing and data transfers.

“If a business cannot process personal data, even temporarily, you may as well hang a ‘closed sign’ on your door. Furthermore, personal data breaches must be reported within 72 hours, and if you don’t you can be fined.”

Data collection and processing has become essential to many businesses – from determining when to approach a customer about a renewal, service or MOT to a vital product recall – but while many large groups are already moving to adapt their dealership management systems (DMS) and cyber-security to become GDPR-compliant, Hickley fears that many are not even aware of the changes.

Writing for Computer Weekly in June, Yves Le Roux, co-chair of the (ISC) EMEA Advisory Council and technology strategist for CA Technologies, said 79% of Britain’s medium and large companies were unsure about their compliance.

Tim Smith, group strategy director at GForces, said: “Although recent instances of companies losing vast amounts of customer data have highlighted the importance of data protection, many dealers will assume that a third party, such as their web provider, will do this for them and conform to tight operational standards. Unfortunately, that’s not always the case.

“Dealers need to be aware of their obligations with the new legislation and if and how they are protected.

“With fines of up to 4% of global turnover if they get it wrong, it’s a risk the average dealer probably can’t afford to take.”

 

Day-to-day dealer impact

Denham said GDPR would replace the Data Protection Act (DPA) 1998 in the UK on May 25, 2018, regardless of the Brexit vote.

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection, while maintaining high levels of protection for members of the public,” she said.

“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU, but this should not distract from the important task of compliance with GDPR by 2018.”

While there has been considerable discussion about the impact of the GDPR on businesses that deal directly with customers, the distributed model that exists in the motor industry has received less attention, said Hickley.

NFDA director Sue Robinson echoed Denham’s assertion that GDPR would remain in place after a UK departure from the EU: “It is highly likely that domestic legislation will be updated to mirror these EU rules, simply to facilitate cross-border trade.”

She added: “In light of these upcoming changes, the NFDA is drawing together guidance for dealers to ensure UK dealers are properly equipped for the road ahead and understand their obligations.

“The guidance, which is being developed through a working group over coming months in conjunction with our legal advisers, TLT, is intended to set out the key steps that dealers will need to take to comply with the new legislative requirements. This should ensure our members are in the best position to protect and exploit their data in accordance with anticipated law in the future.

“We are focusing on the following issues: identifying common data flows; assessing how data is obtained, used and shared: and considering current and anticipated data applications and objectives as the market evolves.

“We would welcome written feedback from interested dealers on these issues.”

Hickley and his team are also developing their own training and consultation service in partnership with training provider GMD People.

To ensure a dealer’s GDPR compliance, he said before a customer’s personal data can be recorded, they must be shown a data privacy notice (DPN) that is “transparent and in clear and easily understandable language”. This will be “much more comprehensive than before, under the DPA”.

 

Who owns the customer data?

As with the earlier introduction of FCA regulations on credit, GDPR is intended to put power back in the hands of consumers.

Customer data is a valuable resource for retailers and manufacturers and dealers have often clashed over who owns it. However, the new regulatory model provides an unambiguous answer: The customer owns their personal data.

According to Hickley, an organisation can only legally store and process personal data for specific purposes on behalf of the customer.

“When that purpose has come to an end, you have to erase that personal data,” he said.

However, GDPR is likely to put some power back into the hands of the retailers, as they inevitably act as data gatherers on a day-to-day basis.

Hickley said GDPR is also much more prescriptive about how any data collected by dealers would be transferred onward to third parties.

“These will be significant barriers to vehicle manufacturers obtaining the personal data of drivers, to such a degree that I believe direct marketing from the vehicle manufacturer will decline considerably after May 2018.

“To combat this, manufacturers will increasingly rely on using online – either smart apps or the internet – to get the personal details of driver to connect to a vehicle.

“Failure to develop these applications could seriously erode repeat vehicle sales for specific brands. This will reinforce the dealer being ‘king’ in the relationship with the customer.”

To become “king”, dealers first need to ensure that their house is in order, though.

 

What the DMS providers need to do

With so many data processes being completed on software provided by outside suppliers, DMS and CMS providers will need to guide their customers through the GDPR minefield during the coming year.

Chris Poulsom, CRM director at MDF360, said: “We expect this to be a real area of challenge, but an area we will be helping our clients with.  

“Having recently completed an audit of all enquiry/sales order forms, DMS’s and showroom systems in place across a manufacturer network, it’s clear there is a big difference between facilities to capture opt-in/out.  

“There were 17 different showroom systems in place, only half of which catered for opt in/out of email, SMS, mail and phone channels, with the others mostly having a general opt in/out feature only.

“Assessing the forms, only two thirds had somewhere to capture opt in/out. Just one third had it across all channels, so there is work to be done, even at a process level.”

Simon Crace, operations director at MB Advertising Group, which works with Bluesky Interactive, said: “While it will be painful implementing it, in the long term it’s a positive step in our view."