The General Data Protection Regulation (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union. The law was put into place on April 27th, 2016 and allotted a two-year adoption grace period for businesses to strategize and implement compliance. The GDPR encompasses all areas of the automotive market, including manufacturers, dealerships, and third- party vendors. With less than one month left it has been reported that an estimated 61% of U.S. businesses are not ready for the regulation, and that only 67% of European-based businesses have begun moving into the implementation phase of their GDPR compliance program. The potential fines pose a high risk for automotive businesses, as they must be in compliance by May 25th, 2018.
Automotive dealerships are very much in the crosshairs of the GDPR regulations. Several automotive brands have displayed international influence with the presence of not only dealerships in several nations, but through international marketing efforts. A well-known example might include Porsche Holdings, and its business of selling Volkswagen and Porsche cars through Central and Eastern Europe. Outside of the benefit of concrete locations near its customers, there is marketing data to be obtained through sales and marketing efforts. The utilization of this data is where automotive dealers may find difficulty with GDPR compliance.
The GDPR places the automotive business under scope not only its presence in the EU, but also due to its monitoring of European Union (“EU”) data subjects, and attempt to offer them goods and/or services. Marketing practices most likely include the use of automated individual decision making against EU data subjects, requiring explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage, which dealerships in this case, are likely doing.
Therefore, automotive dealers must have processes in place to honor nine distinct rights awarded to EU data subjects, and be able to operate under the guiding privacy principles, defined within the GDPR. The regulation further dictates appropriate security efforts around the protection of personal data, establishes breach reporting requirements, and increases the risk associated with vendors processing this data. These expansive requirements make the process of marketing and vendor outsourcing much more complex for anyone with a direct consumer relationship with EU data subjects.
Smaller “mom-and-pop” owned dealerships may not be considering the new regulations as seriously as they should be, but past enforcement actions point to enforcement risk even with these smaller companies. The GDPR states that non-compliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or 4% of their global turnover for the previous fiscal year, whichever is greatest. It is important to note that this fine can be per violation.
There are several steps that companies must immediately embark on to mitigate their exposure to risk. A solid start begins with understanding GDPR regulation applicability to various parts of the automotive business, and understanding each unit’s risk profile to establishing priorities for the initiative. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing of this data.
Every industry has its own unique risk and operational challenges, and every business within has its own maturity relative to industry peers. Using the trusted counsel of a compliance firm helps to quickly identify both industry and organizational risk that, as a non-biased third-party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk, and setup ongoing monitoring programs to maintain valuable records of compliance.
Some have suggested the GDPR will set the global precedent for data privacy and security regulations. Brazil and China have both showed interest in forming similar requirements to protect the privacy of its citizens’ personal information from businesses storing and transferring data across borders.
To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations, and how they will choose to conquer the requirements. Applicable processes and procedures can obviously help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and in return, earn their trust.
Author: Greg Sparrow
Greg Sparrow, Senior Vice President & General Manager of CompliancePoint, has enjoyed over 17 years’ experience in Privacy, Information Security and Risk Management. Greg has had the pleasure of working on both US based and international projects. He was responsible for the development and implementation of the security program’s responsible for protecting billions of dollars in annual transaction volume. Greg’s most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams and helping to secure critical infrastructure at some of the nation’s largest transit hubs. Greg holds multiple IT and security certifications covering the Healthcare Industry, Payment Card Industry and federal banking standards. EMAIL: email@example.com