Maximum number of cars added to compare list.

What's your postcode?

We need your postcode in order to provide accurate search results.


Enter your first name
Enter your last name
Enter your phone number

Got a part exchange?

Tell us your reg plate and receive a part exchange valuation on your car?

What's this?

Compare cars side by side to save time clicking backwards and forwards between them.



Data Security

The GDPR has effectively rewritten the Data Protection Directive, the mainstay of current data protection regime. From May 2018, the GDPR will have a significant effect on your responsibilities when storing data and the uses you can put data to. All businesses are affected, particularly where they use customer details for marketing purposes or exchange them with other businesses in any way. Failure to get this right can result in fines, or worse.

In this the eighth of our series covering this significant change to the law, we look in more detail at the requirement for data security when processing and retaining data.

Appropriate Technical and Organisational Measures

There have always been controls over data security. One of the 8 principles established by The Data Protection Act 1998 required data controllers to put in place

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This requirement is continued into the GDPR under Article 5.

When considering what technical and organisational measures should be taken you should consider the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The more sensitive the data held and/or the greater the risk should the data be compromised, the greater steps will need to be taken to secure it.

That does not mean that the Information Commissioner’s Office will expect all data to be secured using the most sophisticated measures. You are entitled to consider the costs of implementation and weigh this against the risks.

The GDPR identifies some common security steps that can be considered where appropriate. These include

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Are there any standards that can be used?

There are 2 main data standards currently within the UK; PCI DSS and ISO27001.  Whilst there is no requirement at law to utilise any particularly standards these can help demonstrate that appropriate technical and organisational measures are being used.

What does this mean in practice?

Whilst the GDPR puts data security at the heart of data protection and does put more stringent requirements in place, the position will remain broadly the same. If appropriate technical and organisational measures were in place under the DPA then you are likely to be complying significantly with the GDPR.

That said security is a continuing requirement. If you haven’t reviewed your processing and procedures recently then they may no longer be appropriate. You should ensure that they are regularly assessing the data processes and the technical and organisational steps taken to protect it. Where either the and ask themselves what is the danger if security measures fail. The more serious the outcome the more significant technical and organisational measures for protection will have to be.


Data Security is one of the major risks of data processing. Breaches of security attract not only the highest fines, but also put companies at risk of compensatory payouts as well. Significant steps should be taken to ensure that data is taken, used stored and destroyed securely

The above is a very broad overview of one aspect of the GDPR. The legislation and guidance is still developing in the weeks and months in the run up to their implementation. This advice is general in nature and we will endeavor to keep you informed through regular articles and case studies.

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.

Motor Industry Legal Services

Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advises over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.


Posted by Sue Robinson on 02/03/2018