Are your DMS and other systems GDPR-compliant? A guide to assessment.



In our previous posts we explored the need to identify personal data and to understand how to use it without breaking the law or the individuals’ rights. Now we will help you understand how to assess various software you might be using in your dealership to make sure you are compliant with GDPR.



One big reason for introducing GDPR was to reinforce data protection practices in an increasingly digital world. Ideally, all digital data processed by an organization should be stored in a single place and used by means of adequate access levels and policies.

In practice, data, including personal data, is stored in different ways (standard or proprietary files, databases on-premises or in the cloud) and used by software with different levels of specialization e.g. workshop tools, document management systems, word processors, etc. Moreover, this data travels across the local network or via internet to remote places.

It is therefore essential to understand the role of IT, software and technology to make good decisions in regards to GDPR compliance.


GDPR Requirements for Software

Both parties involved in data protection, controller and processor, have the responsibility to comply with GDPR. In order to meet this goal, they need to make several choices to build the IT ecosystem that suits their needs and fulfils the legal requirements.

GDPR requires privacy-by-default and by-design, meaning thinking about privacy regulations from the start whenever these decisions are made.

Software is not inherently GDPR-compliant. Compliance is not guaranteed by having the tool, but rather by how it is used. Depending on its technical features, a software package can hinder or facilitate compliance to GDPR. The next paragraphs list relevant articles:

"...processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

(GDPR Art. 5, f)

"...the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."

(GDPR Art. 32)




How to assess the software you use?

Here is a list of technical features to evaluate how strongly a particular software supports GDPR:

  • Encryption – Data travelling across two remote points must be readable to the sender and receiver only. Data storage (including back-ups) cannot be readable to unauthorized parties.
  • High availability and integrity – By means of redundant storage and periodic backups, the software must be available to the users whenever they need it without delay.
  • Authentication methods – It must be possible to identify who changed or accessed personal data. The authentication (i.e. to identify the human being or interface), must not be “weak” (i.e. without password); ideally, advanced methods (e.g. biometric) should be used.
  • Granular user rights – Limit what data can be accessed or changed by an authenticated user (or interface) – different roles and users need to work only on what is needed
  • Logging – It is of particular help to be able to identify who and when accessed or modify data, especially in case identification and breach reporting.
  • Patches – No software is bug-free, but having the right support from the software provider greatly helps to keep systems up-to-date.

Note that this can apply to the whole IT infrastructure and not only to one specific software. It encompasses workstations, servers, networks, devices, operating systems. Networks should provide secure and reliable means of data transfer, workstations need to be checked regularly for malware or viruses that can make their way to sensitive data and put it in the hands of unscrupulous people.

The implementation, maintenance and support of these elements can be an in-house task or outsourced – software as a service is becoming increasingly popular.


Cracking the Code on Generation Z: Three Ways to Prepare for Your Future Customers

With the rapid aging of society within developed regions such as North America, East Asia, and the European Union, automobile manufacturers and retailers need to prepare to target younger consumers.


GDPR: Understand Data Processing and Take the First Steps

What does "using data" mean and how do you do it right?


The D in GDPR: Personal Data in the Context of Automotive Retail

Let us take you through the main concepts and implications, without the intimidating legal terminology.


How to Ensure a Smooth Transition to a new DMS for Your Dealership’s Team

The best way to ensure the switch will go smoothly is to use all three ways to train your employees: online e-learning, on-site training, and post go-live support.


How to Increase Your Dealership’s Aftersales Revenue

Aftersales revenue is becoming increasingly important for car dealerships, especially in mature markets. Read on to see some tips on how to use your KPIs to increase your aftersales revenue.


Three Factors Impacting Customer Satisfaction with the Car Buying Process

Buying a car can be a time-consuming, boring process, so say customers and, unfortunately, research confirms that view.