Mark Lloyd from The Automotive Academy discusses what the new data protection regulation will mean for garages
The General Data Protection Regulation (GDPR) comes into force on 25thMay 2018, and applies to all businesses who interact with EU and UK citizens. This means that if your garage hasn’t started preparing for this new legislation yet, you don’t have long to make sure you’re compliant.
Much of the advice surrounding the GDPR focusses on the penalties for ignoring the legislation, but while these can include significant fines (up to £17 million!), focusing on the negative aspects of the GDPR means businesses are overlooking the benefits of making sure they’re compliant.
The GDPR gives individuals more rights over the information companies hold about them. Following the GDPR means that your customers benefit from having more control over their data, and you benefit from a reputation for trustworthiness and knowing that if you’re spending time contacting people, it’s because they’re interested in speaking to you.
The Information Commissioner’s Office has produced GDPR resources specifically for small businesses, which I advise you read, but here are some of the key changes to the law that will be affecting garages this month.
Individuals, both employees and customers, will have several new rights over their personal data, including the right to be informed, the right of access and the right to erasure, among others. The right to be informed means that whenever you collect personal data, even including a licence plate, you will need to tell the individual what you will use the data for and whether you will share it with anybody else. Creating a clear privacy notice to explain how you will process personal data now could save your business a lot of time in future.
The right of access and right to erasure both mean that you need to ensure you know where all personal data is stored in your garage, both on paper and within computer systems. You also need to ensure that you only collect data you need for a specific purpose, keep it secure and up-to-date and only hold data for as long as you need it.
You will also be expected to show Data Protection by Design, meaning that you need to integrate data protection into all policies for processing personal data. It is unlikely that garages would legally need to appoint a Data Protection Officer, but you may choose to, and if you don’t appoint a Data Protection Officer, you will still need to make sure you assign responsibility for data protection.
You will also need to make sure if you’re processing personal data you have a lawful basis for doing so, and should record your lawful basis for each type of data processing. Whichever lawful bases you choose will also need to be included in your privacy notice. Lawful bases include:
- Consent – for example if a customer agrees to be contacted by telephone before their next servicing date to book an appointment. Consent will need to be clear and explicit, with no pre-ticked opt-in boxes, and you will need to get consent for each separate activity. Consent can be withdrawn at any time.
- Contract – if you need to process personal data in order to comply with a contract with the individual, eg if you need to use a licence plate to check vehicle details when providing a quote. However, you should only process personal data if you can’t fulfil the contract without doing so.
- Legal obligation – for example, updating the DVLA database after an MOT.
- Vital interests – this only applies if processing the data is a matter of life and death.
- Public tasks – if you are carrying out tasks in the public interest or exercising official authority, and you cannot do this without processing the data.
- Legitimate interests – this is the most flexible lawful basis for processing. You can process data for your business’ legitimate interest, but this needs to be balanced against the individuals’ rights; if they would not reasonably expect the processing, or it would cause unjustified harm, the individual’s interests are likely to outweigh your business’. Legitimate interests will not apply if the same result can be achieved without the data processing. An example could be that a customer’s MOT certificate is about to expire and you decide it is in their legitimate interest to email and remind them to book an MOT soon.
So, before the GDPR comes into force on 25thMay, you will need to:
- Assess what personal data you hold about customers and employees, make sure you have a lawful basis for processing it and policies to update and delete unneeded or old data.
- Review your privacy notices.
- Check any consent processes are GDPR-compliant.
- Make sure you could comply with any requests to delete, update or provide a record of personal data you hold on individuals.
- Know what a data breach is and what to do if data is lost or destroyed accidentally.
- Create a Data Protection Impact Assessment to show Data Protection by Design.
- Designate somebody responsible for data protection or appoint a Data Protection Officer.
- Make sure your team are trained on the GDPR.
- Make sure you understand the Information Commissioner’s Office advice for small businesses.
If achieving this within the next few weeks all seems a bit overwhelming, there is a silver lining. The Information Commissioner has gone on the record to reassure businesses that they will be treated fairly and supported if they can demonstrate how they are taking steps to become GDPR compliant. So prioritise the GDPR preparations that will have the greatest impact on helping your customers, start training your team now and keep your garage moving forwards towards GDPR compliance.