AM Online

Who owns customer data? Under GDPR, customers do – so get ready

The recent AM Digitech Conference highlighted the importance of data in the modern business world.

There has been a major shift in the orientation of the motor retail sector over the past three years. Historically, the primary focus was on the product, with manufacturers boasting or claiming their product was class-leading and as a result would undoubtedly outsell the competition. The emphasis has shifted more to market orientation, where information and access to customers is a major factor driving sales success.

Jim Saker

Professor Jim Saker is
director of the Centre for
Automotive Management
at Loughborough
University’s Business
School and an
AM Awards judge.
He has been involved
in the automotive
industry for more
than 20 years.



For me, the most interesting aspect of the AM conference was the discussion entitled the ‘Great Data Debate.’ The focus of the discussion was around the new EU General Data Protection Regulation (GDPR), which is due to come into operation in May 2018.  For a long time, there has been a tension between dealers and manufacturers over who owns the customer information. GDPR solves this by stating that it is the customer who owns their own data and it is up to them whether they share it with you or not. On top of this, there are rules on increased level of cyber-security, with the appointment of data controllers to record all dealer transactions.

The regulation gives customers the right to opt out or to stop their data being shared between dealers, finance houses or manufacturers. Martin Hickley of GO DPO portrayed a scenario where the Information Commissioner’s Office can step in if non-compliance is found and order a temporary or permanent cessation of data processing and data transfers. The recent malware attack that affected the NHS highlighted the problem of running an organisation without using electronically generated information.  

Many dealers rely on third-party providers for much of their data management systems.  A number of commentators have suggested that dealers cannot simply rely on these intermediaries to make them compliant. It is highly unlikely that any data system provider will either want to or be able to underwrite the liability for non-compliance to the regulation.

In reality, most data breaches are not caused by machines, but by people, either not understanding their responsibility or how the technology works.  One of the biggest issues will be the training of staff in understanding this new regulation and what impact it will have on them or the organisation.  

The next biggest issue will be if members of the public request their data not be used in our interactions with them. This would make things such as MOT and service reminders problematic.

Like most legislation, until it is activated we are not likely to know the full implications, but there is definitely a need for preparations to be made as it could radically change our interaction with our customer base.

If you are not a registered user your comment will go to AM for approval before publishing. To avoid this requirement please register or login.

Login to comment


  • Michael - 27/06/2017 10:36

    "GDPR solves this by stating that it is the customer who owns their own data and it is up to them whether they share it with you or not." This is a huge misrepresentation of the regulation. Shameful that a university professor feels it is right to comment on something highly complex without having read or understood it.