Our first blog on the new data protection laws coming into force in the European Union (EU) from 25th May 2018 provided a brief overview of the changes and whether they apply to your business. You can read our introduction to the General Data Protection Regulation (GDPR) here.
This week, we’ll take a closer look at some of the key changes that will affect the automotive industry, delving into what information your business may keep on customers, how that information may be used and how the storage and use of that data must comply with the new rules.
All this information and more can be found in our latest eBook – GDPR: The new data protection law – which you can download for free.
How is customer data used by car manufacturers and retailers?
The automotive industry uses customer data for a variety of purposes and it provides a wide-range of commercial benefits – especially for maintaining and boosting customer retention rates. Your business may retain a record of who you sold a vehicle to and when, what options that customer chose, when they are due for an MOT and service, whether they purchased any financial aftercare products or if you need to follow-up with a sales call in future.
This data could be used to plan email and SMS reminders when a customer’s vehicle is due to visit a garage for annual checks. You may use it to send promotional materials through the post to sell extended warranties, GAP insurance or special offers on new vehicles. You may retain data simply so you have a record of that customer visiting your business and / or using your services, to provide a better customer experience next time they call.
To continue to store and use this data under the GDPR, you must ensure your business abides by the new rules, or you could face penalties. One of those areas requiring immediate attention is customer consent.
Can you demonstrate customer consent for use of their personal data?
Under the GDPR rules, you must be able to demonstrate consent for use of customer data and when that was given. This consent must be specific, granular, clear, prominent, opt-in, documented and easily withdrawn.
That means consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Clear and plain language will be necessary when explaining what the customer is consenting to, as opposed to long terms and conditions full of legalese.
The key points to follow:
- Unbundled – Consent requests must be separate from other terms and conditions
- Active opt-in – Pre-ticked opt-in boxes are invalid. Customers must actively opt-in by checking an unticked opt-in box
- Granular – Give granular options to consent separately to different types of processing wherever appropriate
- Named – name the manufacturer and any third parties (such as Car Care Plan) who will be relying on consent
- Documented – keep records to demonstrate what the individual has consented to, including what they were told, as well as when and how they consented
- Easy to withdraw – tell customers they have the right to withdraw their consent at any time as well as instructions on how to do this.
What about current customer consent?
Obtaining the consent of those already in your database may pose one of the biggest challenges. Recently, a major motor manufacturer emailed around 300,000 customers to gain consent. They were fined by the Information Commissioner’s Office (ICO) because the communication they sent breached the Privacy and Electronic Communications Regulation (PECR).