Figuring out what is required within your business to meet the GDPR requirements is quite a challenge.
THREE60 CRM has been privileged to work with many OEM’s and dealers alike, facilitating workshops and assisting with their ongoing discussions about implementation.
The initial focus, however, appears to be on the legalities, rather than the practicalities of implementing this positive change to customer contact.
The approach thus far we have observed from OEM’s is not to provide full legal advice, unsurprising given that the much of the responsibility lies with the dealers as the data controller and that legal costs are also to be considered.
Where we have found a pressing need amongst the general dealer population is for simple guidance and the practical steps to take, ensuring that data is or will be collected, stored and used in a compliant manner.
Most OEM’s are in receipt of data from their network partners and vice versa. On this basis, there is a requirement for a collaborative approach in finding the right processes and wording used for data capture in such areas as dealer/OEM website, sales enquiry, appointments, vehicle sale or aftersales jobs. This is becoming more complex for multi-franchise groups.
We have endeavoured to illustrate these key steps in this simple diagram highlighting the areas where processes should be reviewed and amended in the first instance.
We have found that a great place to start is drawing up your data map. The data map should, in our opinion, highlight the following:
- All the places where personal data is captured
- Everywhere personal data is stored
- The third parties with whom personal data is shared
- How personal data is used and processed by you and those you share it with
Where ‘sensitive data’ is concerned there are some extra measures required if captured and stored.
CAPTURE - You need to use the right words in brief at the stage of capturing data to be able to use it.
INFORM - The prospect or customer should be sign posted to your full ‘Data Privacy Notice’ which
needs to be visible in your place of business, we would suggest that this is both hosted and maintained on your website.
GAIN CONSENT - The prospect or customer should be sign posted to your full data privacy notice which should be visible in your place of business and we suggest hosted and maintained on your website.
Some dealers are opting for one set of opt in flags for all ongoing contact and others multiple e.g. one for each of sales and aftersales. There is a need for a full audit trail along with the requirements around erasing customer data at their request (the right to be forgotten).
STORAGE – There is a need for data to be stored securely. As a result, we have recently become fully certified with ISO27001 which covers many of the requirements. It is advisable to check with your suppliers how they meet with the data security requirements.
Identifying the right single system to become your master is essential for both capture and maintenance of prospects and customers alike.
Ensuring that you have informed and gained consent with opt-in flags for each contact channel, further to which where any marketing is sent, extracts for marketing are generated and calls made. We stress this decision should not be taken lightly, given the application must fulfil all the requirements highlighted.
We recommend a single solution to source and host all your data to generate a single customer view, e.g. sales enquiries, sales, finance, aftersales visits, service plan and VHC amber.
CONTRACTS – all contracts with third parties with access to personal data (data processors) should be reviewed and amended to meet with requirements.
Author: Chris Poulsom, CRM director, THREE60 CRM