Executive View: Why data protection is key to the industry’s future

Since the creation of the first car in 1886, the automotive industry has had a long-standing history of adopting and embracing cutting-edge technologies, writes Chris Linnell.

Gone are the days when the car was just an engine running on four wheels - now some modern cars have between 70 and 100 electronic control units (ECUs) which operate many features - from engine control, transmission and braking to heating, steering and infotainment units.

Certainly, this surge in connectivity and autonomy has led to improvements in overall safety and driving habits, but it also reinforces the need for stringent cybersecurity protocols.

Data protection and ensuring compliance is a top priority for automotive manufacturers; however, data security remains a challenge, especially when it comes to handling and processing personal data.

Add to this the complexity that arises from relationships with dealerships and third parties and it’s no wonder attackers have targeted automotive organisations - from giants like Ford, Tesla and BMW to smaller, local dealerships.

The generation of orders, pre-sales and after-sales marketing as well as customer support and supply chain management mean that the automotive industry handles diverse and complex types of data processing across its entire operation.

Importantly, automotive organisations that are not seen to take data protection seriously or are failing to implement adequate data privacy and security strategies risk experiencing a loss of customer trust and potentially large regulatory fines for noncompliance with GDPR.

Significant Attacks 

In recent years, businesses within the automotive industry have suffered several high-profile attacks, including CDK Global. The major provider of car dealership management systems was hit by a ransomware attack last year, with the breach incapacitating services for approximately 15,000 car dealerships across the U.S. and Canada, forcing many to revert to manual processes.

CDK Global then paid the $25 million ransom to restore operations but the incident led to a large number of lawsuits from affected dealerships as well as substantial financial losses.

In Europe, Volkswagen suffered a data leak which exposed the location information of over 800,000 electric cars. The vulnerability first came to light within software in VW Group-owned cars like Audi, Skoda and Seat. Threat actors had access to driver data stored on Amazon’s cloud service, including names, contact details and precise vehicle locations.

However, Cariad, VW’s software subsidiary, addressed the issues and informed customers that no passwords or payment details were compromised.

As the examples showcase, the realm of automotive cybersecurity faces a broad spectrum of threats, including remote hacks, data intrusions, ransomware incidents and even the physical tampering of vehicle systems. With technology continuously evolving and maturing, the automotive industry must stay alert and proactive in safeguarding sensitive data from these threats - a difficult feat without specialist knowledge.

Manufacturer/dealership relationship

The relationships between manufacturers and dealerships underpin the automotive industry but also pose unique data protection challenges due to dealerships operating as independent data controllers. This complicates data sharing and raises concerns about customer awareness of who handles their data, how and why.

To ensure compliance, manufacturers must establish clear data-sharing agreements outlining roles, permissible uses of shared data and security measures. Transparency is critical, as dealerships, often interacting directly with customers, are responsible for delivering privacy notes for both themselves and the manufacturers.

Challenges arise when dealerships represent multiple manufacturers, making standardised processes vital for consistency.

Manufacturers should prioritise accountability by conducting audits, providing guidance, and offering tools such as template notices and training programs to help dealerships align with brand standards. However, manufacturers must also navigate shared responsibilities, balancing their requirements with the dealership’s obligations as independent data controllers, particularly regarding staff training and compliance efforts.

Protection is multi-faceted

In terms of technological innovation, the automotive sector is widely considered among the first to adopt new technology, often prioritising speed over anything else to maintain the competitive edge; in some cases, data protection is also overlooked. The advancements in technology have naturally spread into modern vehicles.

These connected cars have significantly increased data collection, capturing sensitive information such as location, driving habits and even biometrics. This amplifies the risk of breaches and misuse.

Additionally, there is a lot of collaboration within the automotive industry and sharing data with third parties is a necessity - from insurance providers, financial services and roadside assistance to dealerships - each adds a layer of complexity to data protection. Manufacturers need clear processing agreements as well as the propensity to perform due diligence and audit compliance.

To address this, cross-border data sharing, standardised frameworks like intra-group agreements help maintain compliance with international transfer laws. To ensure the security of data at every stage of its lifecycle, data protection principles must be integrated into change management processes. Emphasising privacy by design and default during product development ensures risks are identified early and mitigated effectively.

Furthermore, regular training for teams involved in engineering, design, and project management reinforces these practices to make data protection a key objective. In addition, conducting Data Protection Impact Assessments (DPIAs) ensures lawful and proportionate data processing. Mitigations like encryption, secure storage and data anonymisation safeguard sensitive information and should also be deployed.

Finally, automotive businesses should appoint a dedicated expert, such as a Data Protection Officer (DPO) - whether in-house or outsourced - to focus on data protection responsibilities. DPOs focus on ensuring the right people, processes and technologies are in place to not only meet compliance requirements but to reduce the likelihood of suffering a data breach.

Given the growing risk of data breaches, having the right expertise to handle data protection requirements is vital for automotive organisations due to the sensitive data they obtain and control. The industry is subject to various regulations and laws that mandate compliance, emphasising the importance of safeguarding customer and vehicle data while minimising the impact of data breaches.

Chris Linnell is associate director of data privacy at Bridewell