GDPR – you need to undertake an information audit

legal updates

As a business you will almost certainly use peoples personal data and if you do, then that makes you a Data Controller for GDPR purposes.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

In just over 4 months, your business will need to be GDPR compliant. No ifs, no buts, no maybes.

We await the UK’s own new Data Protection Act 2018 which is still being debated over in the House of Lords. This new Act will consolidate and add to your responsibilities which are already set out in the European GDPR and so whatever the UK Act says, you still need to be GDPR compliant as of 25 May 2018.

If you are already cracking on to ensure you will be compliant, then you will be ahead of the game. However, if you are reading this and have been trying to ignore GDPR or think it doesn’t apply to you then you probably need to have a rethink.

First up, you need to undertake an information audit. As a business you will almost certainly use peoples personal data (writing a customer’s name on an invoice means you are using their personal data – it really is that basic) and if you do, then that makes you a Data Controller for GDPR purposes.

A Data Controller under GDPR is the organisation which collects and uses the personal data. If you sell cars to individuals or are a service and repair garage  – you are a Data Controller. The first 2 steps we suggest you take are to:  

1.    List what type of data you hold

2.    Work out on what basis you are legally allowed to use that data   

Your audit doesn’t have to be sophisticated, it could be as simple as this:

Type of data – customers details on invoices  
Legal basis for using this data – necessary for performance of a contract, compliance of a legal obligation (keeping accurate records for HMRC)  

Type of data – employee details
Legal basis for using this data – necessary for performance of a contract, compliance of a legal obligation (need to pay their tax, NI etc)

Connected Car FinanceReady to take the connected approach?

We’re here to ensure all used car dealerships deliver a better car finance experience for their customers. With over 4,000 approved dealer partners we ensure you are properly supported and connected with a range of flexible finance options, allowing you to lend and your customers to buy in complete confidence.

Type of data – customer emails and postal addresses for sending out MOT reminders
Legal basis for using this data – consent (more on this next time) and, arguably, legitimate business interest (more on this to come too).

In very simple terms, as a business you will use personal data, your starting point is listing what type of data you hold and then working out the legal basis on which you are allowed to use it. Once you have done that, you need to think about how you look after that data – physically and digitally.   

Nona BowkisHead of Legal Services / SolicitorRead More by this author

Related Legal Updates

Time to review your privacy policy?

Our members should be aware of whom they are sharing their data with, and ensure any third-party companies are registered with the ICO.

Data Protection is real and mistakes can cost your business

Most fines from the ICO are against large companies that send out unsolicited marketing messages.

Do you know what a personal data breach is?

If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.

Are you ready for the UK’s data landscape change?

The ramifications for not having the correct policy and procedures in place could be costly, not only by a fine from the ICO for not paying your fee, but also by being reported for data breach

Goodbye 2021, hello 2022!

Despite an excess of 100 different commission claims hitting the Lawgistics’ desks, not one single dealer has had to part with their money.

Used cars – a treasure trove of personal data and a data breach in the making

Modern cars pair with smart phones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

Police ordered to disclose information

Citing the provisions of the Data Protection Act 2018.

Get in touch

Complete the form to get in touch or via our details below:

01480 455500

Vinpenta House
High Causeway

By submitting this quote you agree to our Terms & Conditions and Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.