Increase in scrutiny for motor retailers as data protection comes under the spotlight

A number of high-profile data breaches have occurred at motor retail groups over the last 18 months. The Information Commissioner’s Office (ICO) remain very active in enforcing UK data protection legislation and have had a particular focus on motor retailers over the last year.

The risk of significant ICO fines (up to £17.5m or 4% global turnover, whichever is greater) and the associated reputational damage is leading many dealership groups to proactively review their levels of compliance with the requirements of the UK Data Protection Act 2018 (UK GDPR). There are some key areas that should be considered in order to demonstrate on-going compliance which we share below.

Motor retailers typically process large amounts of data, including sensitive personal information.

• Core business - a high number of transactions that involve processing large amounts of personal data regarding current/former customers and prospects (i.e., ID information, payment information, addresses within used vehicles, personal data within vehicle logs and handbooks). Dealerships also typically engage in direct marketing and tend to be heavily reliant on manual processes and hard copy documents which contain personal data in processing transactions.
• Day to day operations – through the processing of current/former employee data and the details of recruitment applicants.

With this in mind, in order to ensure that the requirements of the UK Data Protection legislation are adhered to and to demonstrate on-going compliance, motor retail groups should consider the following questions.

Strong leadership and robust governance

• What is the tone at the top? Is compliance with data protection requirements an area of focus / prioritisation for senior leadership?
• Have adequate resources been allocated with sufficient seniority? Is the Data Protection compliance function properly resourced with the relevant knowledge and expertise? Do current resourcing arrangements enable you to both implement and ensure on-going compliance with UK Data Protection requirements? For example, do dealership audits include reference to UK GDPR compliance? Lack of investment in time and resources is a common root cause for organisations struggling to embed data protection compliance programs into business as usual.
• Third Party Assurance - Do you have oversight of third parties with whom personal data is shared? Motor retailers invariably share personal data with third parties, for example manufacturers for vehicles under warranty. UK Data Protection legislation requires that organisations have complete oversight of third-party data processor and joint controller relationships, to ensure that contracts are in place, which include the relevant data processing provisions. UK Data Protection legislation also requires an organisation to have oversight of exposure to international transfers of personal data outside of the UK and/or EEA, where additional safeguards must be considered.

Staff awareness and skillset

• Do the individuals assigned with responsibility for data protection compliance have the appropriate skills to undertake the role effectively? It is common for the role of data protection compliance to be added to an existing job description and often the individual does not have the level of experience required. You should therefore ensure that data protection leads have the relevant skills to implement and ensure continued compliance with regulation requirements.
• Awareness – are employees familiar with the process in the event of a data breach or data subject rights request, where strict time limits apply? Employee awareness is a key control to ensure that strict time limits, prescribed by the UK Data Protection legislation are adhered to. You should be reviewing whether data protection awareness training has been embedded within the employee lifecycle to ensure continued levels of awareness.

The right processes

• Are internal data breach reporting processes robust? UK Data Protection legislation requires that organisations must report certain types of data breach to the ICO within 72 hours of discovery, and in some instances, the affected individuals must also be notified, without undue delay. This means that you should have robust processes to assess data breaches for severity and that these are communicated to employees on an on-going basis, to ensure adherence to the strict timescales for reporting.
• Marketing – Do you hold valid consent? Motor Retailers actively marketing to customers and prospects must ensure that they hold valid, opt-in consent for the recipients of marketing emails. Organisations who get this wrong risk data subjects complaining directly to the ICO, which could result in enforcement action, including financial penalties for non-compliance. This has been a particular area of focus for the ICO in recent months, with many recent enforcements centring around organisations engaging in unsolicited direct marketing activity, including emails, calls and text messages.

Technology

• Are your information security arrangements robust? Is information security a key organisational priority to reduce the risk and impact of a cyber-attack? Are IT security defences regularly tested, and do you have processes in place in the event of a cyber-security incident?
• What is your retention policy? Is personal data retained for longer than reasonably required, thus increasing your exposure in the event of a data breach?

Next steps

At BDO we are currently working with a number of the UK’s largest motor groups to review their data protection strategies the key areas of concern have been in relation to security over personal data; the response to data breaches; and the protection of customer data in the used car process.

To read more about other challenges currently facing motor retailers take a look at our Motor 150 Report 2022 - BDO.