You’ve probably heard the term GDPR lingering around for a while now, but do you really know what it is, and what you need to do to become compliant? The new regulations will affect most businesses, in and out of the automotive trade, but our easy to read guide will hopefully give you a brief summary of everything you need to know at this stage, and some helpful pointers to get you started.

First things first, what is it?

GDPR stands for the General Data Protection Regulation and it is new European legislation which has been designed to strengthen the rights of individuals when companies use, collect and share their personal data. Essentially, it puts consumers back in the driving seat.

Why is this happening?

The new GDPR law is replacing the Data Protection Act (DPA) which is now considered unsuitable for the modern world’s privacy requirements. Despite Brexit, the regulation will still go ahead as planned, coming into force on 25th May 2018.   

Digital Minister Matt Hancock claimed the changes would “give people more control over their data” and give us “one of the most robust, yet dynamic, set of data laws in the world.”

Will this apply to me?

If you are currently subject to the DPA, it’s likely that you will also have to be GDPR compliant. If you are required to be compliant, this will apply to all the data you manage and store, including information of customers who are outside the European Union.

One of the major changes being implemented is that liability can now fall upon an individual (a processor) as well as the business (a controller) if there is a breach. For example, if you’re a car salesman and you breach the rules of the GDPR, you’ll also be liable to the penalties.

What happens if I don’t comply?

Well, it’s no laughing matter. The new regulations state that failure to comply could result in a fine of 4% of your turnover or €20 million, whichever is greater. In January 2018, the ICO imposed fines of £600,000 between four businesses who failed to comply with the current DPA legislations.

So, what do I need to do now?

 

1. Raise awareness

From a receptionist on the front desk to a mechanic with a job card, the GDPR will affect anyone who comes into direct contact with personal information. Sure, there’s probably some people in your business that know about the impending changes, but now’s the time to make everyone aware of how it will affect their job, and provide adequate training in any changes that you will make.

Plan of action

  • Make a list of all the areas & people within your business that GDPR relates to. This will include anyone who comes into direct contact with customer data.
  • Make a list of potential problems and an action plan for how you are going to prevent them occurring.
  • Your management or appointed GDPR team need to be GDPR savvy to enable them to guide the rest of the team in any questions they may have. They should be tasked with keeping up to date with any developments and relaying the information to other staff.
  • Consider how training will impact on your employees day to day responsibilities. Ensure you leave them enough time to get to grips with it all.

 

  1. Data you already hold

Customer data is extremely valuable in the motor industry. It can be used to help with customer retention and boost additional services such as servicing and repairs. From May onwards, all businesses will be required to keep an account of what information they currently hold, how they obtained it, and who else has access to it. They will also be required to state how they are going to correct inaccurate information that they have shared. This is to ensure the ‘accountability principle’ is met.

Plan of action

  • You need to assess what personal data you currently hold. The definition of ‘personal data’ has been updated with it now meaning ‘anything which could make a person identifiable.’
  • As data is often accumulated over time, you need to start considering how you will find out and record where the data was acquired, for what purpose, and if it was processed lawfully.

 

  1. Communicating privacy information

Under the new regulations, you will be required to provide a detailed privacy notice so that individuals are informed about how their data is going to be used. They should also be informed on how to complain if they feel there has been a misuse of their information. The Information Commissioner’s Office (ICO) states that a privacy notice must be clear, concise, transparent, easily accessible and free of charge.

Plan of action

  • Gather the information required for your privacy notice. Draft and redraft it, ensuring it’s watertight. Seek legal advice if you’re not sure.
  • Decide how you are going to deliver your privacy notice to individuals.

 

  1. Individuals’ rights

The new regulation will provide individuals with rights, including:

  • The right to be informed – This will typically be covered in your privacy notice.
  • The right of access – Individuals may request access to their personal data, free of charge and within a one month time frame.
  • The right of rectification – Individuals may obtain rectification of any personal data that is inaccurate or incorrect.
  • The right to erasure / the right to be forgotten – Individuals may request that their personal data is deleted (so long as the data no longer serves a purpose for why it was collected.)
  • The right to restrict processing – Individuals may block or suppress the processing of personal data.
  • The right to object – Individuals may object to you using their personal data. Unless you can provide legitimate reasons to continue, you must stop immediately.
  • The right not to be subject to automated decision making, including profiling – If you use automated decision making, individuals will have the right to challenge it and request an explanation for this decision.

Plan of action

  • You need to start compiling your policies and procedures for how you are going to manage any requests once this regulation becomes law.

 

  1. Subject Access Requests

As highlighted in section 4, individuals will be able to request access to any personal information you hold on them, free of charge and within a one month time frame. You must reply to all requests unless you can prove that the request is clearly unfounded, repetitive or that it’s a request for further copies of the same information.

If you require a time extension in which to process the request, it can be extended, but you must still notify the individual that this is the case, within the designated time frame.

Plan of action

  • Start formulating your subject access policies and procedures.
  • Start writing your standard template letters, including refusal letters.
  • If you are likely to receive a large volume of requests, consider the logistical implications of how you are going to respond to them.
  • Allocate a member of staff to deal with Subject Access Requests and ensure their contact details are readily available.

 

  1. Lawful basis for processing personal data

In your privacy note and subject access replies, you should explain your lawful basis for processing personal data. This could include:

  • Consent – where an individual has consented to you using their data. For example, when selling a car, your customer signed a document to say that they were happy to receive further emails from you.
  • Contractual – where the data is required to fulfill the contract for why it was obtained. For example, retailer Halfords sells car accessories through their website. They would need to collect names and addresses from their customers to post any purchased goods and fulfill the contract.
  • Legitimate interests – Private-sector organisations may process personal data without consent if legitimate reasons are presented and it doesn’t pose any harm to the individual’s rights or interests.
  • Compliance with legal obligations – This could include proof of ownership. For example, proof of ownership of a car number plate.
  • Vital interest – Processing data should be regarded as lawful when it’s necessary to protect an interest which is essential for the life of the data, subject or of another person.

Plan of action

  • Assess the legal basis for why you are processing this data.
  • Consider that you may need more than just the reason of consent as to why you hold the data.

 

  1. Consent

The regulation states that consent must be freely given, specific, informed and unambiguous. Individuals must also indicate a positive opt-in. It cannot be assumed that an individual has opted in through inactivity or a pre-ticked box. By refusing consent, the individual must not be subject to any negative ramifications as a consequence. Basically, you cannot pressure the individual into providing consent.

Once an individual has provided consent, you must keep a record of how and when it was gained to ensure that disputes are resolved efficiently if they ever occur.

You must have processes in place to review and update consent at suitable intervals. This would include a change in the individual’s age and if parental consent is no longer required.

So can I still send out MOT and service reminders?

Yes, as long as you can prove consent has been given to do so. You may decide that you need to obtain new documented consent from your existing customer database.

Plan of action

  • Assess how you currently seek, record and manage consent.
  • Consider how you are going to ask people explicitly to positively opt-in, using clear and concise language.
  • Consider any third parties (that will have access to the data) that the individual must also give consent to.
  • Prepare how you are going to store proof of consent.

 

  1. Children

If data is collected on a child under 16 years old, a parent (or guardian) may also need to provide consent. In order for the child to give consent, the privacy notice must be written in language that children can understand.

Plan of action

  • Consider if any of your products or services require parental consent.
  • Start considering how you will attain parental consent if necessary.

 

  1. Data breaches

You will be required to have procedures in place to detect, report and investigate a personal data breach. The GDPR defines a breach as, ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.’

You can notify the ICO of a breach if it is likely to result in identity theft, discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant disadvantage. Once a breach is identified, it must be reported to the relevant authority within 72 hours. Failure to report a breach could result in a fine, as well as a fine for the breach itself.

The regulations state that individuals must be notified if there has been a breach and if there’s a HIGH risk of them being affected. It is up to you to decide what constitutes a ‘high risk,’ although this decision can be challenged and overturned by the authorities.

If you are required to notify individuals of a breach, you must:

  • Describe the breach.
  • The data involved within the breach.
  • A contact person who can provide more information.
  • Possible repercussions which could occur from the breach.
  • Actions taken to reduce the consequences of the breach.

So do I need to update my current computerised system?

As long as there are compliant security measures in place, you won’t need to. Contact the suppliers of your system for further advice.

Plan of action

  • Consider how you are going to implement an internal breach management system and reporting process.
  • Consider that your staff will need to be trained on recognising and reporting a breach.
  • Decide who is responsible for managing any breaches if they occur.

 

  1. Data Protection by Design and Data Protection Impact Assessments (DPIA)

It has always been good practice to adopt a privacy by design approach, and to carry out a Privacy Impact Assessment (PIA.) This means an obligation for the business to deploy technical and organisational measures to show that they have integrated data protection within their data processing.

A DPIA is now a legal requirement in most instances, particularly where individuals are considered high risk. This could include:

  • Where new technology is being implemented.
  • Where a profiling operation could affect an individual.
  • Where there is large scale processing of sensitive information. For example, in a hospital.

A DPIA is not mandatory if the rights or freedom of the individual are put at risk.

Plan of action

  • You need to document your data protection compliance, including a risk assessment and steps taken to minimise risk.

 

  1. Data Protection Officers

A Data Protection Officer (DPO) is the person responsible for data protection compliance within the business. They must take responsibility for compliance and have the knowledge, support and authority to carry out their role effectively.

While it isn’t a legal requirement for everyone, you will need to nominate someone to undertake this role if:

  • You are a public authority (except for courts acting in their judicial capacity.)
  • You are an organisation that carries out regular and systematic monitoring of individuals on a large scale.
  • You are an organisation that processes sensitive data on a large scale. For example, information on criminal convictions.

Plan of action

  • If you are required to appoint a DPO, consider who will be suitable to take up the position.
  • Consider that if may be beneficial for the business to appoint someone, even if you aren’t legally obliged to.

 

  1. International

If your business operates in more than one European country (and you operate across national boundaries,) you will be required to determine who your lead data protection supervisory authority is, and document it. This authority should be the country where your main establishment is located and where the most significant decisions about processing data are made.

Businesses are not allowed to transfer personal data to a country outside of the European Economic Area (EEA) that does not have adequate data protection.

Plan of action

  • If you don’t have European or international clients, consider whether you are likely to do so in the future.

Feeling overwhelmed?

You’re not alone as most companies in the UK will need to make some changes, even if they’re currently DPA compliant. We know ourselves that there is a lot of work to do. You can be rest assured though that your favourite automotive job board will be GDPR compliant come May 25th.

Still need more guidance? Click here for more details.

*Please note that this information is intended for general information only and is not intended to provide legal advice.