EU GDPR – Its Effect on Automotive OEMs and Their Networks
Will the future of automotive transportation be connected, autonomous and shared? Only if automotive OEMs can obtain the personal data they need and relay it back to their customers.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into force, affecting more than 200,000 car dealers, repairers and workshops. It will create many restrictions surrounding the use of data obtained from connected vehicles.
Compliance with the GDPR will be essential for maintaining good customer relationships. The automotive industry depends, more than most other traditional industries, on long lasting relationships with customers. The strategy of selling cars at little or no profit, and then profiting later on via aftersales, requires frequent customer engagement.
To maintain good customer relationships, OEMs must ensure that their dealer networks are working toward GDPR compliance. They must constantly review and improve upon their networks’ implementation of data protection processes. Currently, almost no OEMs are complying with all GDPR requirements.
Handling personal data
A joint publication of the German Automotive Manufacturers’ Association (VDA) and German Data Protection Authority defines all data associated with a vehicle identification number (VIN) as personal data. This includes almost all data held by the workshop, including diagnostic data and trouble codes, repair data and warranty data.
This definition of personal data extends to connected and autonomous vehicles. Owners of such vehicles must be clearly told how their data could be accessed by the OEM, and they must have the ability to restrict such access.
The GDPR requires workshops to securely and properly manage personal data and to keep records of how this data is processed. Many small workshops will struggle with record keeping, which requires a deep understanding of their own processes.
In fact, many dealers profile their customers and handle what the GDPR considers sensitive (special category) data without even knowing it. The GDPR considers something as simple as a note saying that a customer has children or a dog to be profiling. Customers can provide dealers with sensitive data such as health details, or details about their religious or political beliefs, when they join special groups for purchasing vehicles at discounts.
While the repairer is usually the data controller, there are several circumstances in which the OEM, or the bank or leaser, is the data controller, while the repairer simply processes the data.
Protecting Against Data Breaches
Workshops should be extremely cautious when handling customer requests to exercise their rights to be informed, corrected or forgotten. Robust processes must be put in place to prevent data from being lost, corrupted or leaked. Workshops will not be able to trust email with sensitive data; instead, they can set up an identification system with GDPRonline.
Four Key Steps to GDPR Compliance
- Perform an initial self assessment of your company’s current processes
- Create a processing record and, if required, a data protection impact assessment
- Ensure that the rights of individuals asking for information, corrections or deletions are protected
- Be sure to manage data breaches, notifying authorities of breaches within 72 hours of detection
How SGS Can Help
To help automotive dealers comply with GDPR, we provide a suite of services through our management system, GDPRonline. In addition, our onsite consultants will help dealers perform self assessments, identify gaps and set up action plans.
The EU GDPR will change the automotive world. Stay tuned for more updates.
For more information, please contact:
Global Head of Field Services
t: +49 6128 74873 812
m: +49 172 7648658