General Data Protection Regulation

Our compliance partner, i-Comply online, comment on the Genereal Data Protection Regulations (GDPR) and why it should be on your agenda.

General Data Protection Regulation (GDPR) is something that all dealers will come to see more often in the months ahead as the market comes to terms with the implications of the forthcoming changes, which come into force from 25th May 2018. In the world of motor retailing this may seem an age away, but is an item that needs to go onto the agenda now for a number of reasons:

  1. It has implications for customer retention and lifetime value activities.
  2. The data you already hold may not be appropriately ‘consented’.
  3. That same data may be too old to be used going forward.
  4. You will need to establish new processes and protocols to comply with GDPR.
  5. You should explore how you share data with other partners.

And there is a challenge with achieving all of this; the Information Commissioners Office (ICO) is still finalising exactly what is required and the scope. Social media, by way of example, is a notable grey area. However, I believe it is appropriate to start acting on what we do know and ensure you and your team are starting to think about the challenge ahead – and that you engage with your support partners to ensure they are on, or getting onto the same page.

So, what do we know? – A few brief highlights

The first thing to confirm is that while this is a piece of EU legislation aimed at EU citizens, the UK plans to enact it and as such Brexit plans will make little or no difference. In a global village, accelerated by digitisation the wider world is looking to create a data protection standard and it seems this will mean the UK will fully support GDPR.

The regulation (and it is regulation, not a directive) will apply to consumers and businesses, the latter being an addition to the current requirements.

If the customer’s data is used for any direct marketing, including electronically, or for data processing, then consent must be sought. There are some potential exceptions here for dealers; social media as noted previously, apps that collect data and online cookies being examples yet to be clarified.

Dealers will need to gain the explicit consent of customers to be able to use their data and this will mean identifying exactly what the scope of usage will be and what, if any, data sharing will take place. Dealers can only use the data for the consented purposes.

Data ‘minimisation’ principle – if a customer requests that their personal data is removed for marketing purposes, dealers must act swiftly. Further, they should not hold a customer’s data for any longer than is necessary. The end of a finance agreement period or sale of a car stand out as potential triggers for a dealer to delete a customer’s data, but the dealer may not be aware of all such changes. To mitigate against potential problems, dealers could adopt a ‘dormant customer’ approach, removing customers from whom they have had no contact for an extended period, for example, five years. Another option could be adding a ‘contact for marketing purposes until further notice’ clause to customer data permissions.

Responsibility will now lie with data processors as well as controllers.

The Potential ‘Green shoots’ for dealers

The regulation does provide that consent may not be required in all circumstances; three areas should be noted:

  • Where it is necessary for performance of a contract.
  • When it is necessary as a legal obligation.
  • To protect vital interests of the data subject.

The first two are reasonably clear and could extend to areas such as finance proposals (although if an agreement does not proceed data should be deleted without express consent). It is the third area that provides some potential leeway.

Contacting a customer for warranty work, servicing, MOTs, GAP cross-sell, warranty renewal, and the end of a PCP agreement are potential examples where a dealer could be seen to be working to protect the customer’s interests. Encouraging, but this still leaves some areas of today’s typical direct marketing that could fall outside of the ‘vital interests’ criteria; an open evening, new car launch and newsletter/e-zine may not be seen as ‘vital’ help.

Some steps to consider now

The most obvious step would be to embrace GDPR now. Accept that gaining explicit consent and being able to prove you have that consent is a core process. It seems likely that increasingly customers will get used to providing this to a very wide range of organisations. They may well think it is odd initially and some will invariably ‘opt out’, but for many, it will become second nature quite quickly.

Next, look at the data you already hold clean it and if it is notably aged either try and seek consent to continuing usage or delete it. Stay abreast of developments. It seems likely that the ICO will provide greater clarity as the year progresses and especially digitally things will become clearer. Please note the NFDA aims to be a source of information and seek out insights from your partners. Frustratingly, there will be differences of opinion in this area. We have seen it before in regulatory change and being agile will be important.

Ensure your data controllers and processes know what is expected of them and help them to develop rigorous processes.

Finally, don’t leave it too late to adapt and change. Anyone who has ever tried to cleanse a dealer database will quickly inform you how time-consuming it can be.