Maximum number of cars added to compare list.

What's your postcode?

We need your postcode in order to provide accurate search results.

Enquire

Enter your full name
Enter a valid phone number

Tick this box to receive the Trusted Dealers newsletter.

Enter your first name
Enter your last name
Enter your phone number

Got a part exchange?

Tell us your reg plate and receive a part exchange valuation on your car?

Tick this box to receive the Trusted Dealers newsletter.

What's this?

Compare cars side by side to save time clicking backwards and forwards between them.

Are you ready for the General Data Protection Regulation- Part 4Back

Lawful Processing

The GDPR has effectively rewritten the Data Protection Directive, the mainstay of current data protection regime. From May 2018, the GDPR will have a significant effect on your responsibilities when storing data and the uses you can put data to. All businesses are affected, particularly where they use customer details for marketing purposes or exchange them with other businesses in any way. Failure to get this right can result in fines, or worse.

In this fourth in our series covering this significant change to the law we look at the requirement for processing personal data.

What is processing

Processing is defined under the GDPR at Article 4(2) as

“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

As such whenever you are collecting, organising, structuring, storing, adapting, altering, retrieving disseminating or making available personal details, such as an employee’s details for payroll or a customer’s name and address for billing or marketing, then you will need to be complying with the GDPR.

Lawful

To be Under the GDPR processing must be lawful. Following Article 6 of the GDPR processing is only lawful if one of the following apply

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Why is the lawful ground for processing important?

Whilst consent to any processing wil be lawful, which ground you use is very important as the lawful reason is for processing any data will affect

  • the legitimate uses to which the data can be put,
  • how long it can reasonably be kept and
  • whether the data subject can request for the processing to be stopped, modified and/or deleted.

Whilst you can rely on consent at all times, consent can be withdrawn. Where you are processing data for billing purposes for example it would be more appropriate to rely on ground b. Where you are keeping the data to comply with FCA regulations for record keeping only ground c would be more appropriate.

Where must I rely on consent

 Under the GDPR you must rely on consent where you are processing ‘sensitive personal data’

Sensitive personal data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Whilst it is unlikely that you will be regularly processing such data, you may hold such data for Motability customers or for employees.  If you hold such information then you will need to ensure additional protections and consents are in place.

 Conclusion

The above is a very broad overview of one aspect of the GDPR. The legislation and guidance is still developing in the weeks and months in the run up to their implementation. This advice is general in nature and we will endeavour to keep you informed through regular articles and case studies. For further information please visit the Information Commissioner’s Office website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.

Motor Industry Legal Services

Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advise over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.

Posted by Sue Robinson on 11/08/2017