Like all organisations that process personal data, motor dealers must comply with data protection legislation.
In light of the forthcoming General Data Protection Regulations (GDPR), which will replace the Data Protection Act 1998 (DPA 1998) from May 2018, this is more important than ever.
It is essential to have compliant data processing measures and procedures in place sooner rather than later, especially as there will be severe penalties for failure to comply with GDPR including fines equivalent to 4% of an organisation’s annual turnover.
Other sanctions include suspension and bans from processing data, something which would be fatal to organisations in the motor trade who rely heavily on the use of personal data to promote their products and services to customers.
Customer databases are an extremely valuable asset for motor dealers and an inability to use them would be unthinkable to most dealers.
Privacy notices must be provided to customers at the point their personal data is collected (this could include when a customer makes an enquiry or completes a sale order form) or alternatively within a reasonable time where data is obtained from a third party.
The GDPR builds upon the current requirement to provide data subjects with details of the data controller, the purpose of the processing, recipients of data and rights of access to include information such as the legal basis for processing, period of time the data will be stored and the right of rectification or erasure of data, amongst others.
Marketing and profiling
New privacy regulations which complement the GDPR are due to come into force in 2018.
The draft regulations continue to allow motor dealers to send marketing emails about their products or services to customers who have purchased similar products and services without obtaining express consent to do so.
It is important to note, however, that a customer must be given the opportunity to object to such marketing at the point of collection of their details and each time a marketing email is sent.
Some motor dealers undertake automated processing including profiling.
Profiling can be used to evaluate personal aspects of an individual, in particular to analyse or predict their economic situation, health, personal preferences, reliability, behaviour, location, or movements for the purpose of marketing.
Under GDPR, customers must be made aware of this including how decisions are made, the significance and consequences of such decisions along with the right to object to the processing.
Procedures in place to deal with data subjects rights
The GDPR expands upon data subjects rights.
In addition to subject access, data subjects will have the right to require inaccuracies to be corrected, information erased, prevent direct marketing and automated decision making, a right to withdraw consent, transfer data to another entity and data portability (the right for data to be provided in a usable/commonly used format such as electronic format). Procedures will need to be put in place to deal with such requests.
Subject access requests
There is currently a requirement to respond to such requests within 40 days.
Under the GDPR, this will be reduced to one month and additional information must be provided such as data retention periods, the right for data to be deleted, inaccurate data to be corrected and right to lodge complaints with the Information Commissioner’s Office (‘ICO’).
The creation of template response letters that comply with GDPR will assist in dealing with such requests.
Data breach notification
Currently, it is good practice to report personal data breaches to the ICO.
Under the GDPR, serious breaches should be reported immediately and within 72 hours of becoming aware of the breach.
Data Protection Officer
Appointing or designating an individual as a data protection officer to oversee an organisation’s compliance with data protection legislation is considered good practice.
Under the GDPR, this will be a requirement for organisations that undertake regular and systematic monitoring of data subjects on a large scale.
In light of this, it would be prudent for motor dealers to designate an individual to undertake this role.
Data Protection Policy
A data protection policy helps to ensure members of staff are aware of their data protection duties.
As the GDPR requires organisations to be able to demonstrate their compliance through technical and organisational measures, it is safe to say a data protection policy is essential and should be updated to take account of the changes introduced by GDPR.
Data Processing Agreements
Any arrangements with third parties to process data on your behalf must be in writing and contain various provisions which guarantee the data processors compliance with the GDPR.
Such provisions should be included within any new agreements entered into with third parties and existing agreements which will continue beyond 25 May 2018 should also be checked and amended as appropriate.
Such agreements may be necessary to document arrangements with third parties to undertake marketing on your behalf or where a cloud software provider holds data on your behalf.
There will no longer be a requirement for organisations that process personal data to notify the ICO of its data processing activities.
Instead, organisations must keep an internal record of their processing activities.
For motor dealers, this will mean keeping a record of customer transactions along with other specific information required under the GDPR.
Authors: James Fawcett, motor trade expert, and Jessica Cumming, data protection expert, from law firm Gordons