GDPR: Understand Data Processing and Take the First Steps

In the last post we examined what the term “personal data” means, especially in the context of automotive retail. We have also introduced the core element of data privacy: protecting the personal data that was entrusted to us and making sure that only authorized persons can use it for valid reasons.

Now, what does “using data” mean, exactly?

In data privacy, using data is “processing” and here is how it is defined by the Article 4 GDPR:

“… any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

To put it simply, processing data is everything from something as simple as looking at it to performing complex data analysis procedures.

To process data, you need to have the legal basis, “the green light” to do so. Article 6 GDPR defines six legal reasons to process data. Here they are, accompanied by examples from typical dealer operations:

  • To protect the vital interests of the data subject – contacting vehicle’s owners to perform a safety service campaign
  • Legal obligations – keeping individuals’ data of posted invoices or informing of suspicious purchases to authorities
  • Performance of a contract – collect and transfer data to check the credit rating of a customer looking to purchase a vehicle
  • Legitimate interests – sending payment reminders or advising a customer to do an additional repair to keep their vehicle functioning properly
  • Public interest – not so common in dealers businesses
  • Consent – this is the legal basis for everything else, and an important one!

Consent is key for most marketing and CRM activities.

The requirement to have it has been around for a while, but with GDPR there are a few important factors to keep in mind:

  • Consent should be given freely and explicitly, with a positive action such as ticking a checkbox or signing a form. This means no pre-ticked checkboxes anymore, and no implied consent.
  • The customer needs to understand clearly what they are giving consent for. The explanation must be easily accessible, concise and explain in simple terms what the customer can expect.
  • Customer needs to consent separately to separate data processing purposes. For example, if you want the customer to accept your terms of business and to subscribe to your newsletter, you need two checkboxes
  • It must be easy to withdraw consent. You should record what the customer agreed to, how they did it and implement mechanisms for the customer to update their preferences.

So what do you need to do to prepare for the May 25 deadline? Get started with the following:

  1. Think, what personal data you are collecting and for what purpose. Check the list of legitimate reasons above – you need at least one of them to apply.
  2. Check whether you need and have explicit consent for any of your processing activities.
  3. Plan where and how you are going to capture consent both for your existing and future customers.
  4. Implement mechanisms to store and update consent information.
  5. Now, to get you started on the IT part, we will provide some pointers in our next article. Stay tuned!
POSTED ON
9/2/2018 12:00:00 AM
BACK TO LIST