Maximum number of cars added to compare list.

What's your postcode?

We need your postcode in order to provide accurate search results.

Enquire

Enter your first name
Enter your last name
Enter your phone number

Got a part exchange?

Tell us your reg plate and receive a part exchange valuation on your car?

What's this?

Compare cars side by side to save time clicking backwards and forwards between them.

Are You Ready for the General Data Protection Regulation – Part 3Back

The GDPR has effectively rewritten the Data Protection Directive, the mainstay of current data protection regime. From May 2018, the GDPR will have a significant effect on your responsibilities when storing data and the uses you can put data to. All businesses are affected, particularly where they use customer details for marketing purposes or exchange them with other businesses in any way. Failure to get this right can result in fines, or worse.

In this third in our series covering this significant change to the law we look at the requirement for Privacy Notices.

Privacy Notices

Firstly, what are privacy notices, and do you have them.

A Privacy Notice is a standard statement informing data subjects what to expect when you collect and process their personal information.  Under current legislation you are required to provide your identity and the uses to which you will put their information and can generally be found in standard terms or on standalone documents. You probably have one already and they can generally be found on the company website or in standard terms and conditions.

These are particularly important if you are using personal data for marketing purposes and will become much more important under the GDPR as the focus increasing turns to informed consent for processing.

What will be required under the GDPR? 

In some respects, we are still unsure as the UK is yet to produce a draft version of the legislation. Consultation closed on this in April. What we do know is that the Information Commissioner (ICO) is not expecting a one size fits all approach. The requirements of a motor trader collecting data for payroll or for billing purposes will be significantly different to those collecting data for marketing purposes.

Fortunately, the European regulations do provide significant detail within articles 12, 13 and 14 and it is likely that these will be very closely followed.

Whilst this is not an exhaustive list, the privacy notice must contain

  • The identify and contact details of the controller (i.e. the business) and where applicable any data protection officer
  • The ‘purpose’ of the processing and the ‘legal basis’ of any processing (more on this later)
  • The ‘legitimate interests’ for processing the data where appropriate (i.e. internal administration fraud protection etc…see articles 47-50 more on this later)
  • Recipients of the personal data
  • Details of any transfers to third countries
  • Retention period or criteria used to determine retention
  • Existence of the data subject’s rights
  • The right to withdraw consent at any time, where relevant
  • The right to lodge a complaint with a regulator (including contact details)
  • The existence of automated decision making including profiling (more on this later)

Any communications under the GDPR with data subjects must be concise, transparent, and easily accessible. The information required in articles 12-14 must be provide in writing and must be provided free of charge and must be provide at the time the data is obtained or within 1 month if the data is not obtained from the data subject.

The ICO has provided guidance that is available both online and as a downloadable PDF. This can be found at (https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/ )

Conclusion

The above is a very broad overview of one aspect of the GDPR. The legislation and guidance is still developing in the weeks and months in the run up to their implementation. This advice is general in nature and we will endeavour to keep you informed through regular articles and case studies. For further information please visit the Information Commissioner’s Office website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.

Motor Industry Legal Services

Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advise over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.

Posted by Paul Carpenter on 07/07/2017