The D in GDPR: Personal Data in the Context of Automotive Retail

BACK TO LIST

At this point, you must have heard about the General Data Protection Regulation (GDPR), the impending May 25th 2018 milestone and the horrendous fines for non-compliance. First of all, don’t panic: keep in mind that the famous 20 million euro or 4% of the global turnover (whichever is higher) is the highest fine, applied to serious breaches.

Secondly, take a few minutes to understand how this new data protection law affects car dealers. Let us take you through the main concepts and implications, without the intimidating legal terminology.

What is personal data?

Personal data, in the context of data privacy is more than what we find on a typical ID card - the term has a broader meaning. Article 4 of GDPR defines it as “any information relating to an identified or identifiable natural person”. Think about the data handled by a dealer relating to a person: from the contact information down to the brand of engine oil used during the last maintenance, credit limits, purchase intention, models of interest to the number of times the customer declined the workshop’s recommendations.

Think of data as your assets, similar to parts inventory

It is worth seeing personal data as assets needing to be sheltered, similar to the parts stock – we do not leave the parts warehouse open for everyone to help themselves. We make sure controls are in place to account for the parts inventory: only a few people have access and any spare part that is picked has a clear reason to go out e.g. for a car to be repaired.

Similarly, we must put “boundaries” on the “inventory” of data - a set of controls to let only authorized people access it by “locking” the doors and defining the rules of usage. Just like you would establish rules, which spare parts need to be stored where and the valid reasons for them being taken out of the warehouse.

The challenge: Keeping track of and handling large amounts of data

It sounds simple – if we think of paper and filing cabinets – but these days technologies make it harder to identify where the data is. Contrary to physical goods, electronic data can be copied, reproduced and distributed in milliseconds.

Let’s think of a simple scenario where a person driving to another town experiences a problem with their car.

Searching for a dealership and booking an appointment can be made from the vehicle. The dealer electronically gets not only the name of the person, contact information and the scope of the work, but also possible faulty conditions of the vehicle. Before reception, any situation related to the vehicle can be received from the manufacturer. After work was performed, the manufacturer would like to know what was done to feed a central vehicle history, evaluate workshop performance and even do predictive analysis, likely with artificial intelligence. Thus, personal data has been:

  • Collected: even before meeting the person, the dealer already has a bunch of data
  • Used: to do the repair, report taxes and get paid
  • Generated: by doing the repair, more data related to the individual was “created” - the visit itself, activities done, spare parts replaced, invoice, payment details, etc.
  • Shared with a third party to be used for other purposes.

Today, all this data is considered personal data, and its misuse, intended or not, is what we need to avoid in the spirit of data privacy. The dealer and manufacturer must handle this data with care and avoid unauthorized access. But there is an additional aspect: the control the individual has over the personal data – some activities from this example might stray away from what the person wanted.

POSTED ON
12/19/2017 12:00:00 AM
BACK TO LIST