News and views from the automotive industry.
An Interview with Car Care Plan’s Head of Risk and Compliance
This week, we have a special Q&A with Gavin Tinch, Car Care Plan’s Head of Risk and Compliance, who talks about the General Data Protection Regulation (GDPR), which comes into force on 25th May 2018.
Gavin is responsible for ensuring Car Care Plan’s operations maintain compliance with all applicable regulations, including Data Protection and GDPR. Here he discusses the importance of GDPR, awareness of the regulation changes, and what your business should be doing in preparation.
Car Care Plan has published a series of blogs on the GDPR and a free to download eBook:
Q. How important is it for companies to be aware of GDPR?
It’s essential that all firms are aware of GDPR – it doesn’t matter whether you are a regulated firm or not, GDPR will impact you.
Q. How aware of GDPR is the automotive industry at the moment?
There’s certainly more awareness within the industry than there was a few months ago. I’d imagine most firms have now heard about GDPR, but I’m not sure how well progressed firms are with implementing the appropriate changes to establish GDPR compliance. Whilst 25th May 2018 seems like a long way away, there is a lot of work to do – so my message would be to start working on GDPR implementation projects now!
Q. How aware are consumers?
I don’t think your average consumer would have any awareness of GDPR – but I do think that consumers’ attitudes to the way their data is used and how it is stored has changed. The proliferation of cyber-attack news stories, the seemingly incessant cold-calling about double glazing, PPI mis-selling or industrial injuries at work, and the constant threat of identity fraud has led to consumers becoming much more educated about data security.
Q.What can be done to help raise awareness of GDPR?
Within business there is already a lot of information being shared via LinkedIn, Twitter and through the standard news channels. There is an abundance of courses available and a plethora of firms marketing their services to help. Before rushing to sign-up to a course or appoint a specialist firm to help, I would urge you to visit the Information Commissioner’s Office (ICO) website, which is filled with useful data. The best first step is to understand where the gaps in your current processes are – that way you will understand exactly how much work you have to do.
Q.What is Car Care Plan doing to help raise awareness?
We pride ourselves on keeping our clients informed of regulatory developments. GDPR has been on the horizon for a long time and we have covered this in a number of our “Compliance Matters” newsletters. More recently, with just under a year to go, we published a more specific GDPR bulletin for our clients. We have also decided to use social media to help increase awareness and to keep GDPR in the spotlight.
Q.What are the most frequently asked questions you receive regarding GDPR and data protection?
The most common question is whether it will impact UK firms when (or if) Brexit goes ahead. The answer is yes. The UK government has advised that GDPR will be implemented, regardless of the Brexit timeframe.
Other questions so far have related to obtaining consent from consumers for marketing purposes. These questions are less straightforward to answer because there are varying legal opinions. The short answer is that you need to obtain specific consent if you intend to market your customers for other products or services – but then you have to consider whether doing something like reminding a customer their MOT or servicing is due or their warranty is about to end constitutes marketing. In these scenarios, customers are more often than not glad of the reminder, so it’s important to balance the GDPR requirements against what your consumers would expect as part of the usual customer service you provide.
Q.How is Car Care Plan preparing for the GDPR?
We have two streams of work currently underway. The first, which I am responsible for, is to look at the operational impact of GDPR – this includes informing our clients of the regulation, establishing appropriate operational procedures, understanding what information we hold, where it came from and who it is shared with, and updating point of sale material, legal contracts etc. The second is systems focussed – which includes amending system privacy statements, amending the way consent is obtained and various other technical work.
Q. Can you provide an example of good practice in preparing for the GDPR?
The best thing I’ve seen so far is from a manufacturer, which has written to all of its suppliers that hold any personal information relating to its customers, asking for an in-depth questionnaire to be completed about how this personal information is stored and used. This is the first step to conducting a full gap analysis. Once the responses are received, this firm will be able to identify the most significant risks and implement an appropriate action plan to mitigate these risks.
Q. Can you provide an example of bad practice in preparing for the GDPR?
The worst thing a firm could do is nothing. This piece of regulation will impact everyone and there will be some work to do. The sooner you start the better. As referenced on the ICO’s website, “the new law gives directors 20 million reasons to start listening” – referencing the new fines for non-compliance which can be up to either €20m or 4% of annual global turnover, whichever is the greater.
Q. What is the most important advice you could give in preparing for GDPR?
Most important would be not to underestimate the amount of time you need to implement the changes. Under GDPR there are some new elements and some fairly significant enhancements, meaning firms will have to do some things they used to do differently and
other things for the very first time.
Q. How much of the industry’s current compliance with the Data Protection Act will cover them for GDPR changes?
A lot of the main principles of GDPR remain consistent with the current Data Protection Act, meaning firms that are already complying with the DPA will be much better placed for GDPR. However, as mentioned previously, there are changes and firms will be required to do things differently under GDPR.
Q. Do you expect the changes will have any adverse effects on business or will it be business as usual?
The changes will have an impact on business, but whether that is adverse or not is another question. If you do GDPR right and treat your customers’ information in the appropriate way, then there is every likelihood that GDPR could have a positive impact. Your customers will know how you are using their data, know you are storing it safely and know you are not sharing it with unscrupulous marketing firms. This could lead to greater consumer trust, increased brand loyalty and improved repeat business or referrals.
However, if you get it wrong then the opposite could happen. Especially relevant here would be any reputational damage if your firm was subject to a data security breach or any form of fine.
Q. How would you advise managing Consent for those customers already on businesses’ databases?
This is a very difficult question to answer. I would always advise that businesses get their own legal advice. My opinion is that firms really need to understand what they do with customer data and decide what level of consent is needed. If all they do with the customer data is to use it to send a reminder about an MOT or a service, or to inform the customer that their warranty is coming to an end, then it may be that they need to do very little in relation to re-consenting customers.
If they sell the data to marketing firms or use it to cross-sell other products, then an exercise in re-consenting may be appropriate. If this is the case, keep in mind the Privacy and Electronic Communications Regulations (PECR) – recently a few firms have been fined for breaching PECR when trying to re-consent customers.
To keep up-to-date on the GDPR and other automotive industry news, sign up to the fortnightly e-newsletter from Car Care Plan.