The General Data Protection Regulation (GDPR) has been enforceable since May 2018 but many businesses may still be getting to grips with the most efficient and effective way to collect, store and process personal data under the new regulation. It is vitally important all businesses abide by the new rules and there was a deluge of information prior to the May deadline on making your preparations.

Since then, the ICO (Information Commissioner’s Office) has published a few FAQs for small financial service providers (which could encompass car retailers selling financial add-on products) and a data protection self-assessment to evaluate compliance and provide practical actions to improve your data protection processes.

For further information on the GDPR and its requirements, download our FREE eBook: GDPR – Is the automotive industry compliant?

Answering GDPR frequently asked questions

In the ICO’s FAQs for small financial service providers, they ask whether the GDPR conflicts with other regulatory requirements, such as Anti-Money Laundering, Know Your Customers and Open Banking. The short answer is no. The ICO and FCA (Financial Conduct Authority) work closely to ensure data protection is taken into account when setting regulatory rules.

Another question is on consent and whether it is required to process personal data under the GDPR. As mentioned in our eBook, there are a number of different lawful bases for processing personal data – consent being just one of them. There are other situations when a different legal base will apply, such as complying with a legal obligation. So although consent will be an appropriate way to legitimise processing in some cases, it is not always necessary.

The “right to be forgotten” is another element of the GDPR that prompts questions, as individuals have a new right to request their data is deleted by those holding it. However, this is not an absolute right, and if there is a genuine need to continue processing that personal data (such as a legal obligation) then you are able to do so. Each request must be considered on its own merits and justification provided if the decision not to delete the personal data is made.

For further FAQs for small financial service providers, visit the ICO website.

GDPR self-assessment

If you’re still unsure if your business is meeting regulatory requirements or just want to check on your data processes, the ICO has published a self-assessment toolkit for both data controllers and processors. If you’re not sure which applies to you, you will find further information and definitions in our eBook.

The toolkit has been created with small organisations in mind and will be most helpful to small and medium sized organisations, which will apply to many car retailers. Alongside checking compliance, the toolkit provides a short report suggesting practical actions and links to further guidance to help improve data protection compliance.

The checklists also look at information security, direct marketing, records management, data sharing and subject access, and the use of CCTV. You will find the toolkit on the ICO website here.

To stay up-to-date with the latest regulatory news for the automotive industry, sign up to the Car Care Plan newsletter.