GDPR and avoiding a fine of up to 20 million Euros


The GDPR (General Data Protection Regulations) is a European piece of law which will apply to UK businesses from May 2018.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

If you want to avoid a fine of up to 20 million Euros or 4% of your annual global turnover, now is not too soon to make sure you have systems in place to comply with the GDPR which comes into force in May 2018. 

The GDPR (General Data Protection Regulations) is a European piece of law which will apply to UK businesses from May 2018. 

Regardless of Brexit, UK businesses will need to comply and to ensure they do so, the Government is preparing what is essentially a UK version of the Regulations which is due to be published in the Autumn of 2017 in the form of a new Data Protection Act. It is thought the new Act will repeal (fully replace) the current Data Protection Act which is now somewhat outdated as on-line business and technology has moved on considerably since its implementation in 1998.

While it is currently unclear as to what exactly will be in the new Data Protection Act, it will cover all the requirements of the GDPR as for trade purposes, the UK needs to ensure its businesses meet at least the same standards in data protection as their future EU trading partners.  

Who advises on and enforces the GDPR?

The Information Commissioner (ICO) is the lead body on GDPR. The ICO was set up under the Data Protection Act 1998 as an independent authority to look after public information rights. They provide advice to the public and organisations on issues such as spam texts and emails, CCTV, Subject Access Requests (SARs), opting out of the open electoral register, identity theft and now also the use of drones. They are also responsible for the enforcement of all things data protection. 

They are very active in issuing fines for data breaches under both the current Data Protection Act and also the Privacy and Electronic Communications Regulations (PECR). They don’t discriminate and fines have been issued to charities, police forces and Local Authorities as well as businesses.  

Recent fines given out to companies within the motor trade include:

This Manchester based car dealer who also brokers car finance was reported by 66 people about the receipt of unsolicited direct marketing text messages. They had sent texts out to over 300,000 people whose details they had obtained from third party introducers who advised Concept that all names on the list had opted in to having their details shared with third parties. The ICO decided this did not amount to consent and issued the fine despite conceding that Concept did not deliberately breach the PECR. The advice here then is if you are purchasing marketing lists, do your own due diligence around consent and do not simply rely on what a third party seller has told you.

May 2017, Concept Car Credit – fined £40,000 for a “serious contravention” of the PECR.

In what was an effort to ensure they were complying with the various data protection laws, Honda emailed 343,093 individuals against whom no opt in or opt out consent information was held on their database following a design flaw in the software portal at their dealerships. The email asked, “would you like to hear from Honda?”. One recipient complained to the ICO and the fine followed.  The lesson here is if you do not have express, freely given, specific and informed consent, do not use your customer’s or your potential customer’s details. 

Profit BoxDevelop your people like your business depends on it

What most people don’t know is that talent development doesn’t have to be complicated, high risk or expensive. Once they integrate key development stages, the results can be remarkable. Empower your team. Lead your industry. We’re your strategic learning partner, driving performance by moving skills forward.

March 2017, Honda Motor Europe Limited – fined £13,000 for “serious contravention” of the PECR.

This finance brokerage was reported by 912 people in regard to unsolicited direct marketing text messages. Carfinace247 had employed an affiliate partner who they said had, without their prior knowledge or authority, sent out promotional text messages to some 65,000 people. The ICO then spoke to the Affiliate who declared that Carfinance247 had agreed to pay commission for lead generation and that Carfinance247 had been fully aware of the marketing strategy and its use of text messages. Again the ‘consent’ was a third party opt in and so as the ICO ruled that Carfinance247 ought to have been aware that this was a breach, they were fined. The lesson here; ignorance is not a defence so be sure to get clued up.

September 2016, Carfinance247 Limited – fined £30,000 for a “serious contravention” of the PECR.

It is interesting that the largest of the above fines went to the car dealer and not the manufacturer and so don’t be fooled into thinking that just because you are a smaller business, you are somehow exempt.

In short, there has been a huge hooha about the GDPR and data protection is a hugely hot and important topic. However, for many car dealers and garages, it is not as onerous as the publicity may have you believe. That said, do not underestimate the power and motivation of the ICO and so do ensure you, at the very least, action Step 2, 3, 6 and 7 of the below.

So what should I be doing now?

The ICO has produced a 12 point plan and this will keep you productively busy until the new Data Protection Act comes in. 

Step 1 – Awareness

Do you, your Directors and Managers know about the GDPR? If not, they need to get reading as you need to work out what you need to do to ensure compliance.

Step 2  – Information you hold

Compile a list of what personal data you hold, where it came from and who you share it with. For car dealers and garages, you are likely to have paper sales invoices,  electronic sales invoices, lists of customers and dates their MOTs and services are due, employee details, prospective customer details, previous customer details, IP address information from website visits and marketing lists complied by either yourselves or third parties.

If you are a Main Dealer and pass information onto your manufacturer, you must make sure the personal data you hold is correct and that you have explicit opt in consent to pass that data on. Manufacturers need to conduct due diligence to ensure any data passed to them has the relevant consent – writing to the customers where consent isn’t clear is not the way to go unless you want a fine as Honda found out to their detriment. If any data is incorrect, you must show you have advised the third party of the error so they can amend their records.  

If you compile a list of the type of personal data you hold, not only will you identify your possible problem areas, you will also have evidence to show the ICO that you are complying with the accountability principle of the GDPR so it’s a double tick exercise. 

Step 3 – Communicating privacy information

Review your privacy notices, this includes checking you comply with the PECR. For example, if your website sets cookies, you must have a notice that tells visitors that the cookies are there and what they are doing and get their permission to store a cookie on their device. Also check your paper privacy and consent notices. 

Click here for ICO examples of good and bad notices

In addition to the current rules, the GDPR requires you to explain your lawful basis for processing the data, to advise the individual for how long you will retain the data and to let  individuals know they have the right to complain to the ICO if there is a problem. 

Step 4 – Individuals rights

The GDPR gives individuals certain rights namely:

  • the right to be informed;
  • the right of access (including Subject Access Requests – SARs);
  • the right to rectification (data must be amended within one month);
  • the right to erasure (not if the data is being used in the exercise or defence of a legal  claim);
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including profiling (automated credit decisions can still be made as they can be deemed necessary for entering into a contract between a finance company and the individual).

Step 5 – Subject access rights

Under ‘the right to access’ the current £10 fee for a Subject Access Request (SAR) is no more. Individuals can now request copies of the information you hold on them for free (unless the request is unfounded or repetitive) and it has to be provided without delay and at the latest within one month instead of the current 40 days.  

The quick turnaround means you should have a policy in place for how you deal with these requests. 

Step 6 – Lawful basis for processing personal data

Having completed Step 2 and compiled your list of what data you hold, you need to work out and document the lawful basis on which you process that data. For most of the data held by car dealers and garages, you are likely to use one of the following processing conditions to justify holding and processing the data:

1.  consent has been obtained by the data subject
2.  processing is necessary for the performance or future performance of  a contract with the data subject 
3.  processing is necessary for compliance with a legal obligation
4.  you have a legitimate interest in processing the data

For marketing activities, for example sending reminders about a servicing and MOT offer or to advise of a new deal on certain vehicles, you are likely to rely on the consent condition. The consent has to be clear and freely given and so there must be an opt in (as opposed to an opt out) and the consent clause must not be tucked away in other T&Cs. In short, if you want to send out marketing activity, make sure you have a record of where the individual opted in to receive marketing from you.  Do not rely on assurances from third party introducers else you may end up with a £30,000 fine like Carfinance247. 

For employee data, consent to hold information may now not work under the GDPR as there could be seen to be a power imbalance between employer and an employee. In this case, you should be able to rely on processing conditions 2, 3 and 4 as you do need your employee’s information to have a contract of employment with them, you need it to perform your legal obligation to pay tax and NI and you have a legitimate business interest to hold and process such information. 

For sales paperwork and records, you can justify holding and processing this information under processing condition 2 as quite simply, you need their details to enter into a contract with them to buy the car or have the service or repair undertaken. Do think about what information you actually need in these circumstances though as the GDPR has an emphasis on minimalising data processing and so if you never email people, don’t ask for the email address. If you make notes on, for example, the customer’s wife’s or children’s name so you build a rapport with them over time, you will have to rethink how you hold this information as you will not have the consent of the wife to have her name and you will be left arguing that holding her name  falls into the legitimate interest condition which is unlikely to wash if she complains.

In practice, if you do a thorough job at Step 2 and then apply the correct processing condition to all the types of personal data you hold, then you will pretty much be compliant and up and running both from a due diligence point of view and a compliance point of view. 

Step 7 – Consent

This is a big part of the GDPR which has set a high standard for consent. I am sure we are all fed up with the relentless calls from PPI and car accident claims companies. Just where did they get our contact details?

Consent has to be specific (you can’t say we will pass your details on to interested third parties, you will now have to name those third parties and get specific consent for each type of processing activity). It has to be granular (not a one size fits all consent), clear, prominent (made separately to other T&Cs), opt-in (no pre ticked opt-in boxes), properly documented (you will need to evidence where and how the individual gave consent) and easily withdrawn (you must tell people how to withdraw consent) .  

Click here for a handy consent checklist

Step 8 – Children

It is unlikely that car dealers and garages will have to worry about the consent of children  – those under 16 or in some circumstances 13.

Step 9 – Data breaches

You do need to ensure you properly protect peoples data and can identify a data breach. Paper invoices and the like should be kept in files out of the way of public and you should review the security of your IT systems to ensure only the right people can access certain data. If your marketing database of 10,000 customer details is hacked, you will almost certainly have a duty to advise the ICO within 72 hours of discovering the breach.

Failure to report a breach can mean a fine up to 10 million Euros. Talk Talk were recently fined £100,000 by the ICO following the personal details of 21,000 customers being leaked into the public domain by hackers and so do talk to your IT bods to make sure you have adequate provision in place to prevent a similar attack. 

Step 10 – Data protection by Design and Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) will be mandatory under the GDPR in certain circumstances such as when a manufacturer rolls out a new IT system to hold customer details but this requirement is unlikely to be a concern to most dealers and garages although it will be required if you as employer systematically monitor your employee’s internet activity. You should check with the ICO if you are unsure if your processing activities fall under the category of requiring a DPIA or alternatively wait for the new Data Protection Act to see if we are given more clarity. 

Step 11 – Data Protection Officers

Larger business will almost certainly require a dedicated Data Protection Officer but for most dealers and garages, the duties can form part of someone’s role. However, it should be noted it is not just a job title, there is a fair amount of responsibility and a lot of potential for fines if it all goes bandy.  

Step 12 – International 

Unless you operate outside of the UK, you don’t need to concern yourself with any cross border processing. If you do, then your lead data protection supervisory authority will be in the location of your main establishment. Again check with the ICO if you are unsure. 

Nona BowkisHead of Legal Services / SolicitorRead More by this author

Related Legal Updates

Time to review your privacy policy?

Our members should be aware of whom they are sharing their data with, and ensure any third-party companies are registered with the ICO.

Data Protection is real and mistakes can cost your business

Most fines from the ICO are against large companies that send out unsolicited marketing messages.

Do you know what a personal data breach is?

If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.

Are you ready for the UK’s data landscape change?

The ramifications for not having the correct policy and procedures in place could be costly, not only by a fine from the ICO for not paying your fee, but also by being reported for data breach

Used cars – a treasure trove of personal data and a data breach in the making

Modern cars pair with smart phones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

Police ordered to disclose information

Citing the provisions of the Data Protection Act 2018.

£820 out of pocket due to a data breach

Ex-employee admitted to three offences of unlawfully obtaining personal data.

So simple a child could use it

HR Manager is award-winning cloud-based compliance management software powered by Lawgistics.

Keeping track of templates, downloading new copies, worrying whether forms have gone out of date, trying to track recent legislation changes, backing up all the documents – all of this happens on top of your normal work. Thankfully, there is a better way.

Find out more

Get in touch

Complete the form to get in touch or via our details below:

01480 455500

Vinpenta House
High Causeway

By submitting this quote you agree to our Terms & Conditions and Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.