AM Online

Guest opinion: Why ISO27001 and GDPR go hand-in-hand

Gary Hibberd, managing director, The Agenci

The automotive industry, like the rest of the world, is becoming increasingly reliant on digital relationships, both business and personal.

As ‘virtual’ relationships become more prevalent it is more important than ever to be able to establish trust.

In business, this can be accomplished by achieving ‘accreditations’ to international standards.

For any business that handles data, be that for customer insight or data capture – which most dealerships, brokers and insurers do – ISO27001 is the most important.

This international standard not only looks at data from a technical perspective, it asks businesses to look at information security as a process and provides a framework to consider the controls around physical security (premises, secure storage etc), employees (how you recruit and train people), systems (how you protect your digital world) and providers (who and how you trust suppliers). 

This is incredibly important as many perceive ‘risks’ as being only focused on our digital devices, but it is the environment in which they sit, and the users who use them, that are of greatest concern.

The automotive industry is one that collects lots of personal information and shares it broadly with lenders, other offices, and insurers.

It is also an industry that has been around for a long time and therefore the underlying technical infrastructure may not be as robust (or secure) as newer industries. And the ‘bad guys’ know this and will exploit this to their advantage. 

Dealers of all sizes need to consider the risks from all points, as the risks to data increase daily. These threats can of course come from traditional criminals who are increasingly turning to the internet to steal data from organisations (and sectors) who have access to large quantities of information.

Information (aka ‘Data’) is the currency of the internet, and the value is high.

But what about the ‘insider threat’? The sales person who has access to all your customers? Do you think this information would be of value to a competitor?  How do you stop them from taking this? The only way you can be sure that you have information security protected is to have a structured approach, such as ISO27001.

This standard isn’t easy to obtain - if it was easy, everyone would do it - but it is achievable by anyone who is willing to focus their attention on developing a strong, secure business. It requires resources, it requires planning, it requires investment but more than anything it requires leadership and a genuine desire to serve clients better.

It changes the way you treat data, as it requires you to change how you handle data. And there has never been a better time to look at how you handle data, because the laws around this are changing and they will affect you, your business and your industry in a profound way.

On May 25th, 2018, the new General Data Protection Regulations (GDPR) comes into force, ushering in a new era in data protection.

These regulations fundamentally change how we treat data and include changes on the way you carry out marketing, how you protect information and gives new ‘rights’ to data subjects.

Getting it right means greater trust and potentially reduced operating costs.

Get it wrong, and there are large fines which you could incur, not to mention the impact on your reputation (Honda have already been fined for their poor approach to these regulations).  

So how can you prove you are doing all you can to ensure you’re treating data with the respect it deserves?

There is much more to GDPR than implementing ISO27001, but by starting with this accreditation you are adopting a new approach to how you treat data and how you protect it.

The need for ISO27001 is gradually being recognised by some sections of the automotive industry such as Leeds-based DealTrak.

DealTrak, an F&I platform that gives dealers access to lenders and brokers, is a great example of a business that genuinely wants to serve their clients better and be ‘future proofed’. 

They have adopted the ISO27001 framework; their policies and processes have been revised and updated to reflect the importance of security, their teams have been trained on security, and their management team actively support audits and management reviews of their security practices. 

All of this combines to make a business more robust, resilient and ready for the GDPR and for the future of cyber security. 

DealTrak are accredited to ISO27001, not because they have to be, but because they want to be and it is this kind of drive and leadership that will ensure they are better prepared for the years to come.

So, when navigating the waters of your business and selecting new suppliers, ask yourself if they are ISO27001 accredited. This question could be the difference between smooth sailing or a sinking ship.

Author: Gary Hibberd, managing director, The Agenci

Click here for digital marketing best practice and procurement insight

If you are not a registered user your comment will go to AM for approval before publishing. To avoid this requirement please register or login.

Login to comment


  • Dan - 18/09/2017 13:25

    How can DealTrak be accredited? Have UKAS accredited them? I believe the correct term is certified, so some information here is factually incorrect.