The EU’s General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and have a significant impact on businesses of every shape and size, including those in the motor trade.
The regulations are designed to improve the protection of personal information by introducing strict new rules about how data is collected, used and stored. There are severe penalties for businesses that do not enforce the new rules, so it’s essential you understand what your obligations are and the steps you need to take to comply.
The key changes that’ll impact motor traders
If you hold any information about customers in the EU then you will have to comply with the new rules. And, although this is an EU regulation, the UK government has already indicated that the rules will apply regardless of the form our exit from the EU takes. So, this is not something you can afford to ignore.
- Collecting and using personal data
- The use of personal data for marketing purposes
Personal data is often used by car dealers, service centres and other businesses in the motor trade for marketing purposes. If you do intend to use data for marketing purposes then you will need to obtain the individual’s consent first. You must also provide clear instructions about how that consent can be withdrawn. This applies to data already collected as well as personal data you will collect in the future.
- The sharing and processing of data
Motor trade businesses that use the services provided by data processors must ensure that those third parties also comply with all aspects of the GDPR. Failure to do so and any penalty will be payable by the motor trade organisation and the third party.
Those in the motor trade are also responsible for ensuring mandatory processing clauses are included in any data sharing contracts they have in place. If they are not, the appropriate clauses should be drafted and the contracts amended accordingly.
Demonstrating your compliance
Another requirement of the GDPR is that those in the motor trade must be able to demonstrate their compliance. This can be done in a number of ways. Larger operators should consider whether hiring a data protection officer is necessary to put the relevant measures in place. That includes:
- Creating adequate policies and procedures for the collection, storage and use of data;
- Making sure everyone who handles personal data understands their obligations under GDPR;
- Creating a record of all the personal data that is being processed.
Hiring a data protection officer is not a step businesses must take under the GDPR, but for firms handling large amounts of personal data, given the potential penalties for a breach (whichever is greater, €20 million or 4 percent of total worldwide annual turnover), it could be beneficial.
What practical steps should motor trade businesses take?
The Information Commissioner’s Office has created this checklist that details the steps organisations should take to ensure they are ready for May 2018. If you are concerned about your ability to meet the new requirements or simply do not have the time to make the relevant changes, there are service providers that will be able to take care of your GDPR obligations on your behalf.
Talk to Tradex
As the UK’s leading motor trade insurer, we provide unrivalled cover that’s tailored to meet the specific risks you face. Please get in touch to discuss your requirements or request a quote today.