On May 25th 2018, the EU’s General Data Protection Regulation (GDPR) legislation comes into force. It promises to have a major impact on working practices for all UK businesses, with the motor trade as much affected as any other industry. So, what is GDPR, and what effect may it have on the motor trade industry?
GDPR brings in new regulations designed to boost the safeguarding and protection of personal data. There are new rules which govern how data are collected and stored by all businesses, and how this information can be used. Any business who breaks the rules is subject to very strong penalties – in some cases this could run to millions of pounds, so it’s essential motor trade business owners, managers and employees alike are all aware of the change in laws and are trained in the implementation of the guidelines. While the guidelines come from EU lawmakers, the UK government will continue to enforce them in any post-Brexit scenario, so they can’t be put aside in 2019.
A key part of the regulations is on the collection and use of sensitive or personal data, such as customer names and contact details, and how these are stored or used. While much of the legislation is near-identical to the UK’s Data Protection Act, meaning that many businesses should already comply with many of the directives, there are some essential points to note.
In the first instance, it’s vital to look at what personal data you currently hold, and how this can be used or stored. GDPR has specific guidelines on what you can and can’t do with the information, and how long – and for what reasons – it can be stored. It also provides more detailed guidelines on what are valid (or invalid) reasons for capturing sensitive data. Businesses must also not retain this information beyond any specific period of need, and must destroy the data once used, unless there’s a valid reason for its retention.
A key aspect of safeguarding your business is to review your privacy notice, and make sure it explicitly spells out what personal or sensitive data you capture, and why or how this is used. You must check the information provided on any existing notice to make sure you’re telling your customers exactly what their data is being used for. For example, you cannot use personal data such as telephone numbers or email addresses to contact users without consent, specifically for any reasons beyond why they may have already given you permission. This could well impact a motor trade business in terms of direct marketing or customer engagement.
If you have a form on your website through which customers can supply personal details, you must explicitly state what the information will be used for and give options for the users to opt out of specific forms of communication, such as direct marketing or phone calls. An example could be where a customer has given details to obtain an insurance policy; you cannot then use their information to contact them about unrelated products or services, such as buying a new and used car.
It’s vital to understand that GDPR applies to all areas of your business. If you have a team of employees, it’s vital that every single one of them is trained in what GDPR means and what is permissible or forbidden under the guidelines. Ignorance is not an excuse for misuse of customer data! Companies may feel the need to appoint a Data Protection Officer, who can provide advice and guidance and ensure that your business is fully compliant with the new legislation.
Penalties for misuse of data and breaking the GDPR guidelines can result in a fine as severe as 4% of the global turnover, so it’s vital that all employees understand the key aspects of the new laws.