Maximum number of cars added to compare list.

What's your postcode?

We need your postcode in order to provide accurate search results.

Enquire

Enter your first name
Enter your last name
Enter your phone number

Got a part exchange?

Tell us your reg plate and receive a part exchange valuation on your car?

What's this?

Compare cars side by side to save time clicking backwards and forwards between them.

Are you ready for the General Data Protection Regulation?Back

The GDPR has effectively rewritten the Data Protection Directive, the mainstay of current data protection regime. From May 2018, the GDPR will have a significant effect on your responsibilities when storing data and the uses you can put data to. All businesses are affected, particularly where they use customer details for marketing purposes or exchange them with other businesses in any way. Failure to get this right can result in fines, or worse.

In this second in our series covering this significant change to the law we provide a general overview of the regulations and ask the question, are you prepared?

What is the General Data Protection Regulation (2016/679)? 

In May 2016, the GDPR replaced the Data Protection Directive, which is the European legislation governing the way data is processed. The UK has 2 years from May 2016 to implement this new legislation. The UK will therefore be introducing new legislation to come into force from May 2018 implementing the GDPR

What is the current legislation and why are we changing?

Presently we have the Data Protection Act 1998 (DPA) which doesn’t match what we do in practice.  This was drafted when storage was large filing cabinets and before computers took over our daily working lives.  The GDPR is more geared towards electronic storage and processing and will therefore be more rigorous as it is a comprehensive rewriting of the rules which increases obligations on both Data Controllers and Data Processes.

Changes between the DPA and GDPR

The definitions, shown below, are broadly the same as under the DPA.  In short, a data controller says how and why personal data is processed.  In addition, under the GDPR, the data controller must have in place contracts with processors which comply with the GDPR.  The data processor acts on the data controller’s behalf but the GDPR places specific new legal obligations on the processor.

Definitions

As a reminder, let’s take a look at the main definitions that currently apply under the DPA 1998:

  • Data means information which:

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).

  • Personal data means data which relate to a living individual who can be identified:

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

  • Data subject means an individual who is the subject of personal data.
  • Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Processing, in relation to information or data, means obtaining, recording, or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a) organisation, adaptation or alteration of the information or data,

(b) retrieval, consultation or use of the information or data,

(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or

(d) alignment, combination, blocking, erasure or destruction of the information or data.

The definition of personal data is more detailed and expansive and there are accountability requirements on how to comply with the data protection principles.  In addition, any information that has an online identifier, such as an IP address, can be personal data; hence the introduction regarding the new regulation seeking to reflect changes in technology.  The GDPR therefore applies to both automated personal data and manual filing systems where personal data is accessible according to specific criteria.  This will be particularly relevant for any subject access request.

Sensitive personal data will continue to apply and broadly with the same definition albeit there are some minor changes.
Data Principles

The eight data protection principles are similar but with added detail in places and a new accountability requirement.  This means the GDPR requires data controllers and data processors to show how they comply with the principles; such as for example documenting decisions taken about a processing activity.

There has to be ‘conditions for processing’ (reference from the DPA), which means there must be a legal basis before personal data can be processed.  Under the GDPR it becomes more of an issue because the legal basis for processing has an effect on an individual’s rights.  The individual’s rights will increase to cover the following:-

  • The right to be informed;
  • The right of access;
  • The right of rectification;
  • The right of erasure (i.e. the right to be forgotten)*;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object; and
  • Rights in relation to automated decision making and profiling.

*This right has a potential headache for businesses particularly if an employee or customer specifically asks for their data to be removed.  Most firms would retain such information for around six years; which is the limitation for contract claims.  However, the GDPR would not allow the retention of data (if such an erasure request was made) unless there is legal action likely / contemplated / ongoing.

What does this mean for your business?

Businesses will need to review their data protection policies (which apply not only in respect of employees but for customers as well) and ensure compliance with the GDPR.

The present proposals will involve costly infringement action, thereby it will be interesting to see post Brexit whether this still applies and to what extent. However, for those of you who may take the view we do not need to worry about it due to Brexit, legal opinion is that the GDPR is likely to be implemented, albeit there may be slight changes to it in respect of the EU adequacy requirement.

Presently fines can be awarded up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  The GDPR will allow member states to provide more specific rules in place in respect of protection of rights and freedoms in respect of processing data.

Next steps

Moving forward it is advisable to plan for the implementation of the GDPR by May 2018.  It may be that post Brexit there is little change in the rules but we shall have to wait and see.

The above is a very broad overview of the GDPR. Which we will be expanding on in the coming weeks and months in the run up to their implementation. This advice is general in nature and it will need to be tailored to any one particular situation. However, for further information please visit the Information Commissioner’s Office website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.

Paul Carroll,

Solicitor,

Motor Industry Legal Services

Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advise over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.

Posted by Sue Robinson on 14/04/2017