As if you didn’t know by now the GDPR is the General Data Protection Regulations that was legally enforced from 25th May 2018. At the Real Inbound we can support car sales dealerships to ensure their automotive marketing data is compliant as part of our inbound marketing strategy development. We operate on an easy to understand language and suggest simple, specific steps to take, backed up by insights drawn from some of the best people in the sector.
For the purposes of dealership marketing data this article, can break down GDPR into three areas. These are very much top line, and this article certainly doesn’t constitute adequate consultancy or legal advice for your business, but it should give you a head start as to what to look for as you begin your journey.
First of all, who does the GDPR apply to? Basically car dealers ‘processing’ personal data on European data subjects (people).
Processing means storing, or communicating with, or segmenting, or any number of other activities you can conduct with personal data.
‘Personal data’ means any information that could be used to identify a natural person. That is a person currently alive and living in Europe. And no, Brexit doesn’t mean GDPR won’t apply.
So, if you have a automotive marketing data base, a HR database, a list of job applicants, a list of suppliers, a customer list etc. then chances are you are processing personal data, and that data will need to comply with GDPR.
The three areas to think about are:
1 Cyber Security
You’ve heard the term no doubt, but what does it mean? Well, simply put, keeping your IT infrastructure safe. Safe from breach (someone or something breaking in) and safe from all sorts of nasty viruses.
If you are buying ‘off the shelf’ services like CRM systems or websites, or invoicing platforms etc. it’s worth talking to your suppliers about how they are, or will be compliant, as they themselves are a risk in terms of the security picture for your business.
And even if you are being looked after by a reputable IT firm (and if you are not, it’s worth thinking about) it’s worth checking with them as to what steps they are taking. Get them to report to you on a regular basis on the state of your IT, and its compliance. But don’t be lulled into a false sense of security. There is more to GDPR than that.
2 Dealership Processes
The GDPR talks about having data security built into your dealership processes. This means having your privacy statements up to date for each data set you use and making sure the citizens’ rights like the so called ‘right to be forgotten’ are honoured in all aspects of the business. How you gather marketing data, how its stored, who gets to use it and the legal basis for which you are using the data are examples of the processes you need to think about.
Something like the BS 10012:2017 (Data privacy) standard is a great place to start to ensure you are running your business and the automotive marketing data you are processing in a compliant manner, but again, this is also something the GDPR Alliance can help you with.
3 The data itself
You must be aware of what data you have. And that includes understanding where you might be keeping data that you aren’t immediately aware of, like in a CRM system or a mailing list in Mail Chimp, or a survey tool, or even somewhere like your websites contact forms.
I mentioned your ‘legal basis’ earlier and I think this is the cause of much of the confusion, with many different versions of what is allowed and what constitutes ‘legal basis’.
Again, in simple terms, the GDPR says you are OK to process data if:
You have the consent from the data subject. This consent must live up to standards of specificity and transparency, and it much be explicit for the use to which you will put it. It’s no longer good enough to have a pre-checked box on your data gathering forms. It’s also likely to mean that data you hold that might have had consent some time ago, maybe doesn’t have that consent anymore!
You can have a legal basis if you have a contract with the data subject which requires the processing of their data. Such as a guarantee for instance.
There may be a legal requirement for you to hold data on someone in order to comply with the law. Maybe safeguarding information or information on finance agreements.
Your processing of the dealership marketing data might be in the vital interest of the data subject, for instance in order to save a life you might need to pass on privileged information to an ambulance crew.
Public Interest
If you have a public task to comply with in the interest of the public based in law that can be the basis of your processing.
You have a legitimate interest in processing the automotive marketing data, as long as that interest doesn’t outweigh the interest of the data subject.
You can get more clarification of the legal basis on the ICO website or by talking to your GDPR Alliance consultant or other professional such as your web developer or IT supplier.
If you haven’t got the contracted right, or the legal requirement, most business will be looking at ‘consent’ and ‘legitimate interest’ as the basis for their data processing. But the questions don’t end there.
Consent is intended to be weighted toward the benefit of the data subject and should be as easy to withdraw as it is to give.
And legitimate interested must be demonstrated through the application of a three stage ‘test’ called a Legitimate Interest Assessment the ICO and DMA advise you to apply. Namely, identification of the legitimate interest (the reason) a necessity test (can same be accomplished any other way?) and a balancing test (does the processing impose upon the data subjects rights?)
And if you really can’t do it yourself, look for a reputable, experience GDPR consult in your IT suppliers team, your web developer, or indeed, from the members of the GDPR Alliance like Real Inbound