If you want to avoid a fine of up to 20 million Euros or 4% of your annual global turnover, now is not too soon to make sure you have systems in place to comply with the GDPR which comes into force in May 2018.
The GDPR (General Data Protection Regulations) is a European piece of law which will apply to UK businesses from May 2018.
Regardless of Brexit, UK businesses will need to comply and to ensure they do so, the Government is preparing what is essentially a UK version of the Regulations which is due to be published in the Autumn of 2017 in the form of a new Data Protection Act. It is thought the new Act will repeal (fully replace) the current Data Protection Act which is now somewhat outdated as on-line business and technology has moved on considerably since its implementation in 1998.
While it is currently unclear as to what exactly will be in the new Data Protection Act, it will cover all the requirements of the GDPR as for trade purposes, the UK needs to ensure its businesses meet at least the same standards in data protection as their future EU trading partners.
Who advises on and enforces the GDPR?
The Information Commissioner (ICO) is the lead body on GDPR. The ICO was set up under the Data Protection Act 1998 as an independent authority to look after public information rights. They provide advice to the public and organisations on issues such as spam texts and emails, CCTV, Subject Access Requests (SARs), opting out of the open electoral register, identity theft and now also the use of drones. They are also responsible for the enforcement of all things data protection.
They are very active in issuing fines for data breaches under both the current Data Protection Act and also the Privacy and Electronic Communications Regulations (PECR). They don’t discriminate and fines have been issued to charities, police forces and Local Authorities as well as businesses.
Recent fines given out to companies within the motor trade include:
This Manchester based car dealer who also brokers car finance was reported by 66 people about the receipt of unsolicited direct marketing text messages. They had sent texts out to over 300,000 people whose details they had obtained from third party introducers who advised Concept that all names on the list had opted in to having their details shared with third parties. The ICO decided this did not amount to consent and issued the fine despite conceding that Concept did not deliberately breach the PECR. The advice here then is if you are purchasing marketing lists, do your own due diligence around consent and do not simply rely on what a third party seller has told you.May 2017, Concept Car Credit – fined £40,000 for a “serious contravention” of the PECR.
In what was an effort to ensure they were complying with the various data protection laws, Honda emailed 343,093 individuals against whom no opt in or opt out consent information was held on their database following a design flaw in the software portal at their dealerships. The email asked, “would you like to hear from Honda?”. One recipient complained to the ICO and the fine followed. The lesson here is if you do not have express, freely given, specific and informed consent, do not use your customer’s or your potential customer’s details.March 2017, Honda Motor Europe Limited – fined £13,000 for “serious contravention” of the PECR.
This finance brokerage was reported by 912 people in regard to unsolicited direct marketing text messages. Carfinace247 had employed an affiliate partner who they said had, without their prior knowledge or authority, sent out promotional text messages to some 65,000 people. The ICO then spoke to the Affiliate who declared that Carfinance247 had agreed to pay commission for lead generation and that Carfinance247 had been fully aware of the marketing strategy and its use of text messages. Again the ‘consent’ was a third party opt in and so as the ICO ruled that Carfinance247 ought to have been aware that this was a breach, they were fined. The lesson here; ignorance is not a defence so be sure to get clued up.September 2016, Carfinance247 Limited – fined £30,000 for a “serious contravention” of the PECR.
It is interesting that the largest of the above fines went to the car dealer and not the manufacturer and so don’t be fooled into thinking that just because you are a smaller business, you are somehow exempt.
In short, there has been a huge hooha about the GDPR and data protection is a hugely hot and important topic. However, for many car dealers and garages, it is not as onerous as the publicity may have you believe. That said, do not underestimate the power and motivation of the ICO and so do ensure you, at the very least, action Step 2, 3, 6 and 7 of the below.
So what should I be doing now?
The ICO has produced a 12 point plan and this will keep you productively busy until the new Data Protection Act comes in.
Step 1 – Awareness
Do you, your Directors and Managers know about the GDPR? If not, they need to get reading as you need to work out what you need to do to ensure compliance.
Step 2 – Information you hold
Compile a list of what personal data you hold, where it came from and who you share it with. For car dealers and garages, you are likely to have paper sales invoices, electronic sales invoices, lists of customers and dates their MOTs and services are due, employee details, prospective customer details, previous customer details, IP address information from website visits and marketing lists complied by either yourselves or third parties.
If you are a Main Dealer and pass information onto your manufacturer, you must make sure the personal data you hold is correct and that you have explicit opt in consent to pass that data on. Manufacturers need to conduct due diligence to ensure any data passed to them has the relevant consent – writing to the customers where consent isn’t clear is not the way to go unless you want a fine as Honda found out to their detriment. If any data is incorrect, you must show you have advised the third party of the error so they can amend their records.
If you compile a list of the type of personal data you hold, not only will you identify your possible problem areas, you will also have evidence to show the ICO that you are complying with the accountability principle of the GDPR so it’s a double tick exercise.
Step 3 – Communicating privacy information
Review your privacy notices, this includes checking you comply with the PECR. For example, if your website sets cookies, you must have a notice that tells visitors that the cookies are there and what they are doing and get their permission to store a cookie on their device. Also check your paper privacy and consent notices.
In addition to the current rules, the GDPR requires you to explain your lawful basis for processing the data, to advise the individual for how long you will retain the data and to let individuals know they have the right to complain to the ICO if there is a problem.
Step 4 – Individuals rights
The GDPR gives individuals certain rights namely:
- the right to be informed;
- the right of access (including Subject Access Requests – SARs);
- the right to rectification (data must be amended within one month);
- the right to erasure (not if the data is being used in the exercise or defence of a legal claim);
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling (automated credit decisions can still be made as they can be deemed necessary for entering into a contract between a finance company and the individual).
Step 5 – Subject access rights
Under ‘the right to access’ the current £10 fee for a Subject Access Request (SAR) is no more. Individuals can now request copies of the information you hold on them for free (unless the request is unfounded or repetitive) and it has to be provided without delay and at the latest within one month instead of the current 40 days.
The quick turnaround means you should have a policy in place for how you deal with these requests.
Step 6 – Lawful basis for processing personal data
Having completed Step 2 and compiled your list of what data you hold, you need to work out and document the lawful basis on which you process that data. For most of the data held by car dealers and garages, you are likely to use one of the following processing conditions to justify holding and processing the data:
1. consent has been obtained by the data subject
2. processing is necessary for the performance or future performance of a contract with the data subject
3. processing is necessary for compliance with a legal obligation
4. you have a legitimate interest in processing the data
For marketing activities, for example sending reminders about a servicing and MOT offer or to advise of a new deal on certain vehicles, you are likely to rely on the consent condition. The consent has to be clear and freely given and so there must be an opt in (as opposed to an opt out) and the consent clause must not be tucked away in other T&Cs. In short, if you want to send out marketing activity, make sure you have a record of where the individual opted in to receive marketing from you. Do not rely on assurances from third party introducers else you may end up with a £30,000 fine like Carfinance247.
For employee data, consent to hold information may now not work under the GDPR as there could be seen to be a power imbalance between employer and an employee. In this case, you should be able to rely on processing conditions 2, 3 and 4 as you do need your employee’s information to have a contract of employment with them, you need it to perform your legal obligation to pay tax and NI and you have a legitimate business interest to hold and process such information.
For sales paperwork and records, you can justify holding and processing this information under processing condition 2 as quite simply, you need their details to enter into a contract with them to buy the car or have the service or repair undertaken. Do think about what information you actually need in these circumstances though as the GDPR has an emphasis on minimalising data processing and so if you never email people, don’t ask for the email address. If you make notes on, for example, the customer’s wife’s or children’s name so you build a rapport with them over time, you will have to rethink how you hold this information as you will not have the consent of the wife to have her name and you will be left arguing that holding her name falls into the legitimate interest condition which is unlikely to wash if she complains.
In practice, if you do a thorough job at Step 2 and then apply the correct processing condition to all the types of personal data you hold, then you will pretty much be compliant and up and running both from a due diligence point of view and a compliance point of view.
Step 7 – Consent
This is a big part of the GDPR which has set a high standard for consent. I am sure we are all fed up with the relentless calls from PPI and car accident claims companies. Just where did they get our contact details?
Consent has to be specific (you can’t say we will pass your details on to interested third parties, you will now have to name those third parties and get specific consent for each type of processing activity). It has to be granular (not a one size fits all consent), clear, prominent (made separately to other T&Cs), opt-in (no pre ticked opt-in boxes), properly documented (you will need to evidence where and how the individual gave consent) and easily withdrawn (you must tell people how to withdraw consent) .
Step 8 – Children
It is unlikely that car dealers and garages will have to worry about the consent of children – those under 16 or in some circumstances 13.
Step 9 – Data breaches
You do need to ensure you properly protect peoples data and can identify a data breach. Paper invoices and the like should be kept in files out of the way of public and you should review the security of your IT systems to ensure only the right people can access certain data. If your marketing database of 10,000 customer details is hacked, you will almost certainly have a duty to advise the ICO within 72 hours of discovering the breach.
Failure to report a breach can mean a fine up to 10 million Euros. Talk Talk were recently fined £100,000 by the ICO following the personal details of 21,000 customers being leaked into the public domain by hackers and so do talk to your IT bods to make sure you have adequate provision in place to prevent a similar attack.
Step 10 – Data protection by Design and Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) will be mandatory under the GDPR in certain circumstances such as when a manufacturer rolls out a new IT system to hold customer details but this requirement is unlikely to be a concern to most dealers and garages although it will be required if you as employer systematically monitor your employee’s internet activity. You should check with the ICO if you are unsure if your processing activities fall under the category of requiring a DPIA or alternatively wait for the new Data Protection Act to see if we are given more clarity.
Step 11 – Data Protection Officers
Larger business will almost certainly require a dedicated Data Protection Officer but for most dealers and garages, the duties can form part of someone’s role. However, it should be noted it is not just a job title, there is a fair amount of responsibility and a lot of potential for fines if it all goes bandy.
Step 12 – International
Unless you operate outside of the UK, you don’t need to concern yourself with any cross border processing. If you do, then your lead data protection supervisory authority will be in the location of your main establishment. Again check with the ICO if you are unsure.