September 02, 2019

How to Make Your Car Dealership GDPR Compliant

Car dealerships have long relied on the collection of personal data to pursue sales leads and manage the sales process. But the introduction of GDPR has dictated that car dealerships rethink the way sensitive information flows through your organisation.

In February, Toyota and Lexus confirmed that as many as 3.1 million items of confidential customer data may have been breached following an attack on their dealerships in Japan. But while these attacks took place thousands of miles away from home, don’t be fooled into thinking the threat of a data breach isn’t very much on your doorstep.

The ICO’s (Information Commissioner’s Office) ever-growing list of companies they’ve taken enforcement action against is testament to this, with over £1,000,000 in monetary fines handed out to the likes of Uber, EE, Facebook, Heathrow Airport and Humberside Police – showing that anyone is at risk from a data breach and the costly fines that follow.

So this September, we’re asking the question: is your car dealership protected from a data breach? To help you ensure the sensitive information of your customers, clients and staff is protected – and to ensure you don’t fall victim to the crippling fines handed out by the ICO. Here’s the best practices to prevent a data breach at your car dealership.
 
Think compliance: Download our whitepaper and familiarise yourself with the official GDPR legislation of the ICO. Engage with your staff and commissioning bodies to ensure everyone is aware of the specific requirements of the automotive industry.

Data you hold: Start by documenting your internal systems and identifying where personal data is stored in both physical and online files. Create a list of the software used across your dealership and check with suppliers that they’re GDPR compliant and what data they are extracting from your users.

Customer consent: Review how you manage and record the personal data of your customers for marketing and other communications. When capturing data, you must have a physical opt-in – the data capture process cannot be hidden and you will need a simple method for customers to retract consent
.
Protect it: Use a document management process so all data is secured from creation to disposal. A
retention policy should identify which documents must be kept and for how long. Mark records in storage with their destruction dates.

Increase cyber security: Prevention and detection tools are critical. Keep everything up-to-date and reinforced. In the case of a data breach, have a response plan in place and be ready to effectively and efficiently manage a security breach. Practice disaster and recovery plans and always back up digital information.

Appoint a data protection manager: Where possible, appoint somebody within your dealership to assume responsibility for data protection compliance. If this won’t be possible, enquire to see how a third party can assist to ensure compliancy with GDPR.

Record data breaches: If a data breach occurs, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk, you must notify the ICO. Any breach must also be reported to your appointed data protection officer.

Destroy it: Have a formal procedure for the secure destruction of documents. Partner with a company that provides a secure chain of custody and a documented process for both paper and hard drives and e-media destruction. Introduce a Shred-it all policy so that all documents are securely shredded automatically.

Start Protecting Your Business 

We protect what matters – and what matters to us is the safety of your car dealership. To learn more about how we can protect the sensitive information of your customers, staff and clients, please contact us to get a free quote and data security survey.

Our Data Security Survey is a crucial first step to ensure vulnerable areas of your car dealership are identified – so we can provide efficient, expert recommendations on how to reduce the risk of a data breach.