General Data Protection Regulation (GDPR) goes live on 25th May
We’re very sure by now all dealers are aware of the changes in Data Protection Rules. With fines much higher than the FCA would impose, the ICO will be surely looking to enforce businesses who do not comply.
Data protection has been part of our culture since the DPA act of 1998, however significant updates apply in the new rules which cannot be ignored.
With less than a month until the GDPR regulations are enforced we speak to WMS Groups, Compliance Manager, Andy Shipp to get his take on the new data protection legislation and some of the basics that car dealers should be doing straight away.
After attending a data Protection Officers course in the first week in January, Andy was left, by his own admission, in no doubt of the importance of getting our compliance correct. Andy says
“I left feeling consciously incompetent. The 29 Articles were turned into an 800 page manual and I had to sit a 3 hour exam at the end of the week’s training”.
“Subsequently I have spent time going into the detail and, as ever for me, learning to understand it to be able to turn the minefield into a simplistic communication for all levels of staff to be able to understand”.
Here Andy offers an initial insight in to what he has learned:
This article aims to address the BASICS of GDPR and comes with a note that senior members of your team need to ‘get to grips’ with more detail than is published here.
GDPR in its simplicity – So what must I do as a Motor Dealer?
“As you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information. Under GDPR rules you MUST”
So what information am I allowed to collect?
Only Collect information that you need for the purpose that is specific to your business
- Keep that information secure:
- Ensure it is relevant and up to date
- Only hold as much information as you need for as long as you need it:
- Allow the subject of the information to see it on request
How Do I Start the process of being GDPR Complaint?
“The same as you would expect in an FCA framework and structure really, you need to write a policy of your intentions and how you will conform to these KEY points”
What areas in my business do I need to look at specifically?
“Get the correct data consent from the customer at the point of sale when face to face with the customer and ensure you contact them in the way in which they have indicated. For a sale to happen there is certainly some key information that you need to collect to be able to do your job and, it is about gaining valid consent”.
“Ensure that your records electronic or in paper form are held securely to protect against data breaches. This applies to all electronic devices including smart phones & tablets etc. Also, to ensure you have cyber security and passwords to protect the data”.
“Ensure the customer data is used for its correct purpose. i.e. only to do with the sale of the vehicle and the appropriate services offered and not offered to 3rd party (none motor related services that you do not have permission for.)”
“Ensure the customer’s permission is an ‘opt in’ scenario and not an ‘opt out’ scenario”
“Respond to a customer data requests (within 30 days) detailing why you hold it and for what reasons and giving them the option to rectify, restrict forget or be erased or complain (other than in your normal requirement to conduct your service and support)”
“Ensure your marketing communication campaigns are geared towards the customer whom would expect to receive them as you have a legitimate interest (which you will need to turn into valid consent)”
“From a HR perspective you will need to ensure sensitive data is especially protected and there are also rules of some data you are not allowed to collate”.
Andy concludes by saying……
“I hope this helps with your understanding of this very important issue, but this is not a definitive guide, just a basic introduction in to GDPR.”