Article

Why is GDPR so Important To Auto Dealerships?

GDPR is the biggest change to data law in decades. But those dealerships that adhere to the rules and prepare in advance will avoid the risk of the heavy fines and bad public relations that could come with non-compliance.

Learn More
< Back to Insights

GDPR is the biggest change to data law in decades. But those dealerships that adhere to the rules and prepare in advance will avoid the risk of the heavy fines and bad public relations that could come with non-compliance.

On May 25, 2018 the General Data Protection Regulation (GDPR) came into effect and changed entirely how businesses within the European Union (EU) are expected to capture, store and process personal data. This is of particular importance to automobile dealerships.

Auto dealerships have long relied on the legitimate collection of personal data to pursue sales leads, manage the sales process and provide personalized servicing. However, the GDPR’s changes are far-reaching and, for most dealerships, require a thorough re-think about how personal data flows through their organization. Additionally, according to a new survey, auto dealerships’ cybersecurity vulnerabilities can also drive away customers—of 200 dealership surveyed, 84% of consumers said they would not buy another car from a dealership that had a data security breach at the dealership, and approximately 33 percent of consumers are not confident in the security of their personal and financial data when buying a vehicle at a dealership.

So GDPR clearly presents challenges for dealerships. As with any legislative change of this kind, there has been a fair amount of misinformation about the GDPR, so—without the proper guidance—obtaining the most accurate and relevant advice for a business can prove tricky.

The GDPR’s rules are relatively straightforward, and it’s hard to argue with their goal of providing greater control for the owners of personal data. Unfortunately, with systems and processes that have been deeply embedded over the course of many years, dealerships are now faced with a significant amount of work in order to become compliant.

For starters, personal data means everything associated with a vehicle, including VIN numbers, serial numbers of internal components and anything else. Dealerships collect and maintain a wealth of personal information, including customer names, addresses, phone numbers, dates of birth, Social Security and driver’s license numbers, credit reports, credit card account numbers, financial account information, financing application data, proprietary sales information, and information collected from their websites. Regardless of whether a data breach is accidental or intentional, it can obviously have catastrophic consequences.

So what can be done to step up protection?

The first step is to hire or appoint a Data Protection Officer (DPO), who becomes the point person to ensure GDPR compliance. Public authorities and/or companies larger than 10-15 employees who process personal data require the appointment of a DPO. The role entails:

  • Regular and systematic monitoring of data subjects on a large scale
  • Processing on a large scale of special categories of data

Next, customer consent must be received—when in doubt, ask first. GDPR mandates that companies receive customer consent before processing or storing customer data. The request for consent not only needs to be laid out in plain language, but also needs to clearly explain how the customer’s data will be used and for how long it will be used and stored. And with GDPR, silence/inactivity no longer means customer consent. Additionally, the terms of consent need to be consistent with the customer’s most up-to-date information, and if changes are required, a new request is in order. Lastly, at any given time, customers have the right to withdraw consent, which requires dealers to respond and act in a reasonable timeframe.

Following consent, dealerships should perform a Data Protection Impact Assessment (DPIA) and IT Risk and Vulnerability Assessment. Companies that store personal data need to do both before every project that involves such personal data. A DPIA is an audit of an organization’s own processes and procedures that measures how these processes affect or might compromise the privacy of the individuals whose data it stores, collects or processes—it ensures compliance, determines risks and evaluates protections.

In the event of a data breach, GDPR requires businesses to notify local data protection authorities within 72 hours of discovery. Reading between the lines, this means dealerships need the technology and processes that will allow them to detect and address breaches within that timeframe. This may require an overhaul of internal data security policies, as well as substantial employee training to ensure they have a proper response plan to data breach threats.

Furthermore, GDPR supports the data minimalization principle, requiring companies to only use and keep the personal data that is needed at any given time for any given purpose. If it’s not needed for that intended purpose and duration, it should be deleted, and customers have the right, at any time, to withdraw consent and request data to be deleted. This is critical.

Clearly, GDPR is the biggest change to data law in decades. But those dealerships that adhere to the rules and prepare in advance will avoid the risk of the heavy fines and bad public relations that could come with non-compliance.

Eric Brown, CISSP, PCIP is a manager with blumshapiro, the largest regional business advisory firm based in New England, with offices in Connecticut, Massachusetts and Rhode Island. The firm, with a team of over 450, offers a diversity of services, which include auditing, accounting, tax and business advisory services. blum serves a wide range of privately held companies, government and non-profit organizations and provides non-audit services for publicly traded companies. To learn more visit us at blumshapiro.com.

Continue the Conversation with Our Team
Get in touch with us.

Contact Us