As the May 25 deadline for the General Data Protection Regulation (GDPR) approaches, we ask two solicitors to address some of the most common concerns among dealers.

 

Nona Bowkis, solicitor at Lawgistics and specialist on the GDPR

Nona Bowkis, LawgisticsWhat challenges are you hearing from clients that stand out when it comes to changes around customer data?

The biggest challenges seem to be misinformation and scaremongering. We have dealers calling in a state of panic having read various articles and comments on forums, which are simply either not true or exaggerated. The fact is that the GDPR applies to all businesses who process personal data. Personal data includes basic information such as a customer’s name. It also now includes CCTV footage and IP addresses.  For businesses with more than 250 staff or those who regularly handle large amounts of data or sensitive data, the responsibilities are more onerous. However, for many dealerships, the GDPR is comparatively straightforward.

 

What do dealers have to do around their processes to make sure they are ready?

Dealers need to take time out to undertake an information audit. In its simplest form, dealers need to list the types of personal data they hold, they need to work out under which of the six lawful grounds listed in Article 6 of the GDPR regulations they can legitimately process that data and they need to ensure the security of that data whether that is filing paper invoices away in a locked filing cabinet or ensuring their IT databases are secure.

For email marketing, if dealers have relied on an opt-out system that meets the requirements of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR), they can continue with this system and cite ‘legitimate interest’ as the lawful basis for processing instead of ‘consent’, which under GDPR, requires a positive opt-in approach.

 

What are the biggest stumbling blocks you are hearing when it comes to employee data?

Dealers are asking about whether they need the consent of the employee to hold their data and if a consent clause in the employment contract is sufficient. While a consent clause may have been suitable under the Data Protection Act (DPA) 1998, any such consent clause is unlikely to meet the high consent threshold under GDPR. Employers are advised to remove any consent clauses and instead rely on one of the other six grounds for lawful processing. In this case we suggest a combination of ‘contract’, ‘performance of a legal obligation’ (personal data is required to pay tax and NI) and ‘legitimate interest’.

 

What advice would you give to dealers that aren’t quite ready on the issue of employee data before the GDPR deadline?

Dealers should not only be reviewing their contracts for unnecessary consent clauses, but they should be ensuring they have a clause that requires employees to take personal responsibility for customer data. For such a clause to be effective, dealerships will need to ensure all their staff have been provided with adequate training and that the organisation has a clear data protection policy. Training will need to include what constitutes personal data, why data protection is important and the consequences of non-compliance. Employees need to be aware that as individuals, they are open to prosecution for data breaches under Section 55 of the current Data Protection Act (DPA).

In terms of a data protection policy, an example clause could be that the details of unsuccessful applicants will be destroyed after three months. The GDPR has an emphasis on data minimalisation and so if employers do not need the data, they should not keep it.

 

What are the big challenges for dealers in meeting the GDPR’s requirements in terms of technology and security?

We have had a number of dealers who have had to source new website providers as some designers have decided that their new accountability under the GDPR is too much and they have opted out.

Dealerships, in their role as data controllers, must have a written contract with their third-party processors and they need to ensure that said third-party is compliant with the GDPR.

 

What should dealers be doing around their third-party processes to make sure they are ready?

Dealers need to talk to their IT processors and either put a written contract in place or update any contracts that may comply with the DPA 1998, but will not comply with the higher requirements of  the GDPR. If the third-party processor cannot provide the dealership with the required “sufficient guarantees to implement appropriate technical and organisational measures” then the dealership needs to look elsewhere and have their new processor and written contract in place by May 25, 2018.

 

Paul Carroll, partner and commercial solicitor at Motor Industry Legal Services (MILS)

 

Paul Carroll, MILSWhat challenges are you hearing from clients that stand out when it comes to changes around customer data?

Some dealers are being told they cannot contact customers before gaining consent. This is not strictly true. Contact can be made where necessary as long as it fits with the GDPR’s six lawful grounds for using customer data. However, there are times when consent must be present, such as marketing, processing sensitive data or transferring data outside of the European Economic Area (EEA).

 

Can a dealer use customer data for marketing purposes?

The GDPR is not the only legislation that applies to customer data. Where any marketing is done by electronic means, such as email, the Privacy and Electronic Communication Regulations (PECR) require that any marketing by electronic means requires consent. While the PECR are also due to be updated, they are likely to be replaced by something similar and will continue after May 25, 2018.

Marketing is and remains a legitimate interest under the GDPR. That said, any ‘legitimate interest’ of the business cannot override the customer’s own interests. Where possible, any marketing should also be done by consent so that more than one legitimate interest is present for the purposes of the GDPR. Dealers should take steps before May 25 to update any records in cases where there is no clear consent for marketing.

 

What sort of problems are dealers having when trying to update records?

We have heard the regulator has received a number of complaints from customers regarding contact to update records. Previous rulings have clarified the fact that an email requesting

confirmation as to whether a customer consents to marketing is itself marketing and therefore consent will be required to ask the question by email (not postal or telephone). No contact can be made with any customer who has opted out of such communications.

There is no reason why a customer cannot be contacted prior to the May 25 deadline, as long as any emails on the list have been properly vetted. You have to make sure you are only contacting customers who have previously been in touch to enquire about similar services and have not expressly rejected contact in the past.

However, anyone contacted will need to be given an opportunity within the correspondence to opt out of such contact in the future.

 

What changes are dealers having to make when it comes to employee data?

Data protection in an employee context has been low-risk in the past and this will continue. However, as with customers, any processing must be lawful, fair and transparent. Most employment contracts rely on a blanket consent for processing personal data. The GDPR raises this bar and dealers will need to ensure they have updated any grounds for processing accordingly.

 

What are the big challenges for dealers in meeting what GDPR requires in terms of technology and security?

The GDPR is not just about how you handle customer and employee records. Data security plays an important role in the new legislation. The more sensitive the data held and/or the greater the risk should the data be compromised, the greater steps will need to be taken to secure it.

However, this does not mean the Information Commissioner’s Office (ICO) will expect all data to be secured using the most sophisticated measures.

Businesses are entitled to consider the costs of implementation and weigh this against the risks.

 

Are there any standards dealers can adopt when it comes to data security?

There are two main data standards currently within the UK – PCI DSS and ISO27001. While there is no legal requirement to use any particular standards, they can help demonstrate that appropriate technical and organisational measures are being used.

 

Do dealers have to change a lot around their systems regarding security?

While the GDPR puts data security at the heart of data protection and does put more stringent requirements in place, the position will remain broadly the same. If appropriate technical and organisational measures were in place under the Data Protection Act (DPA), dealers are likely to be complying with the GDPR too.

That said, security is a continuing requirement. If a dealer hasn’t reviewed data processing procedures recently, then they may no longer be appropriate. Dealers should ensure they are regularly assessing their data processes and the technical and organisational steps taken to offer protection. A good test is for a dealer to ask themselves what would happen should a technical system fail. The more serious the outcome, the more significant technical and organisational measures for protection will have to be.