The General Data Protection Regulations (GDPR) will come into effect in May 2018, fundamentally changing the way customer data is stored, used and passed on. Saad Ahmed speaks to Sofico, RSM, Pentana Solutions and Addleshaw Goddard about the changes, and their effect on motor finance.
“It’s the biggest change in data protection law in 20 years,” Toni Vitale, legal director, data and information team at Addleshaw Goddard, tells Motor Finance. The EU has put the issue of data firmly back on the agenda with the General Data Protection Regulation (GDPR). Adopted in April 2016, the GDPR is the biggest overhaul in data protection law since the 1990s.
With the rules due to come into force on 25 May 2018, Motor Finance investigates the GDPR, unpicking what has changed from the old system, and how the updated regulations may affect the motor finance industry and its use of data.
Free movement of data
“We always talk about free movement of people, free movement of jobs, and free movement of capital. One thing that the GDPR helps to establish, by harmonising the laws everywhere, is free movement of data,” Vitale says.
A major driver behind the introduction of the GDPR by the European Commission is the development of what the institution calls the Digital Single Market. The aim is to harmonise policy around the storage and use of data throughout the EU, and allow both individuals and businesses to carry data across borders. The GDPR will apply to all businesses operating in the European single market, including those based in other jurisdictions.
The last piece of EU data legislation, the 1995 EU Data Protection Directive, was not as direct as next year’s GDPR regulations. Vitale says that unlike the GDPR, the previous legislation was given to states to implement in their own time, and, largely, in their own way. The UK’s domestic regulation in line with the rules was introduced in 1998, in the form of the Data Protection Act.
“[The instruction was], more or less, ‘implement these principles into your legislation’. Countries took several years to introduce that. We didn’t pass our data protection law in the UK until 1998 – three years later,” Vitale says.
He stresses that the more lenient nature of the previous directive led to differences in interpretation of what constituted certain types of data. This prevented the 1995-based wave of domestic regulations from offering the same protections and standards across European borders.
“For example, in Italy personal data about companies is personal data, whereas everywhere else in Europe it’s personal data about individuals only. So there are some quite big differences,” he explains.
Vitale adds that the GDPR went through many years of consultations and drafts before being set for a May 2018 implementation in 2016. “It started off five years ago with early drafts being passed between the Council of Europe and the member states, and the [European] Commission. And then, four years of drafts developed until it came into force in 2016, but with a two-year implementation period. So it has already been in statute books since May last year,” he says.
The major difference between the GDPR and previous regulation lies in who holds liability if data breaches occur. The new regulations place responsibility on data processors, as well as data collectors, to ensure that their practices are in line and data is collected with consent.
“The key of the GDPR is fair, lawful and transparent processing. It’s all about telling people what you’re going to do with their data, and doing nothing else with it,” says Bram Wallach, product manager at Sofico.
Industry body Leaseurope held a policy lunch in Brussels in May with a variety of European vehicle advocacy groups. In the session, Leaseurope and the coalition of groups called for a common telematics policy across Europe, to allow “useful” data to be shared. The group claimed that telematics data was only shared with vehicle manufacturers, which limited the quality of data in the industry. It called for EU regulation to allow this information to enrich the common data pool.
Asked if the GDPR would help or hinder this ambition, Wallach says car manufacturers are currently able to claim data protection as a reason for failing to make connected car data more freely available across Europe in the industry.
“It’s a very interesting debate, because the car manufacturers are hiding behind a number of arguments – some true, some false – in order to not make the data available,” he says. “[One] argument is data protection and privacy, where all of a sudden car manufacturers seem to be the guardian angels of your privacy.”
Wallach adds that while he believes that there will be a push towards more open data sharing between companies and across the continent, the GDPR will create stricter requirements for what is considered personal data: “Even a combination of data that would indirectly allow for identifying an individual – even location could be an indirect disclosure of personal data.”
Dealing with it
The effect of the GDPR on dealers is likely to be severe. Accountancy business RSM has urged dealer clients to prepare for the upcoming regulations, warning that financial health and reputations could be at stake.
Steve Snaith, head of technology risk assurance and partner at RSM, tells Motor Finance that the first step for dealers is to ensure they know where their information is being held.
“They’ve got to make sure they know what information they have, where it’s held, and where it’s coming from – and if you’re transferring data out, where it’s going to,” he says. “After that, they can do some checks, [seeing] if they’ve got the right controls to protect that information, and being compliant of the future GDPR requirements.”
Mike Gadd, vice-president and UK general manager of Pentana Solutions, says dealers must seek advice from industry bodies. He adds that dealers must adjust contracts to gain explicit consent for data usage and sharing, in line with the upcoming regulation.
Gadd advises dealers to assess their current data collection procedure, and see where it may fall short of GDPR rules. “A natural starting point is to map current data collection and usage to identify gaps within the current compliance against the GDPR. This will enable the business to create a plan to meet the GDPR standards.
“More than this, it will help the dealer to collect customer data accurately and completely and gain their positive consent to ongoing contact,” Gadd notes.
Focusing on online dealers, Snaith raises the issue of allowing would-be customers to opt in to sharing data, in contrast to many current models which prompt people to tick a box to opt out of their information being shared to third parties.
“There’s got to be an opt-in for a potential customer to confirm if they’re happy for their data to be captured and stored. Dealers generally have lots of personal information from customers, so you need a framework to ensure that the controls are there to protect that information, and that they have a good process to capture consent,” Snaith says.
He adds that dealers must rethink how they approach data retention, and mentions third-party data processors, to which the GDPR has extended liability.
“How long are they keeping customer information for? There are three guidelines in terms of how long data should be kept, and there’s more of an onus in terms of responsibility of data protection,” Snaith tells Motor Finance.
“It’s all about what information they have. How long have they had it? Have they got consent to hold it? And is it adequately secured? If they’re dealing with third parties, are there contractual data-confidentiality agreements?” Snaith adds.
The implementation of GDPR will have an impact on the way vehicle fleets use data. Wallach says Sofico has designed a two-step process to help clients comply with the upcoming regulation. “First you remove data from operational use, and leave them in an access-restricted archive. The second step – and that could be after 10 years for instance – is removing it from that particular archive,” he says.
Wallach states that data in the access-restricted archive would remain available for legal or audit reasons, if the data is needed to identify an individual or their record. Once the second step is implemented, and the data is removed from the archive, the process is irreversible, and “there is no way to identify the individual any more.”
Wallach adds that there is a conflict between data privacy and the need to keep data for legal reasons. “That is just our take on data retention, because we know there’s a conflict between privacy on one hand, and legal retention periods on the other.
“I happen to know that most companies take it the legal way, and just make an argument for the longest retention periods as legally needed,” he says.
He suggests that fleet operators may have to retain some individual driver information due to contractual agreements. “As soon as the contract has ended, and all financial settlements have been made, you could argue there’s no reason any more to still know who that driver was,” he says.
This reveals an issue with the GDPR, which many of those interviewed identify. The regulations – despite having added more specific terms and widened liability, and even providing examples – remain vague in many areas. The basic notions of what constitutes excessive data collection, and when this data is no longer needed, remain significant grey areas.
“The European Commission – and more broadly the GDPR – does not actually specify a lot of things in detail,” Wallach says. “They stick to the principles – data minimisation and storage limitation – saying you are not supposed to capture any more data than strictly needed and you should not hold onto that data any longer than needed.”
Wallach adds that the GDPR puts the onus on businesses to prove that they still require the data, rather than placing a set limit on the number of years for which data can be kept. “As a business you have to make an argument as to why you need the data. If you can’t make that argument any more, then the data is supposedly obsolete or redundant,” he explains.
At what cost?
When the GDPR comes into force in 2018, the regulations will have a profound impact on the way the automotive industry operates. Fleets operators will be forced to anonymise individual data, in a move which could hinder the development of more tailored solutions for drivers and customers. The potential sources of data that this may include may prove to be much wider than at present, which may cause operational issues for fleet lessors.
“A license plate is also to be considered personal data; a fleet might not think that’s really personal data. The GDPR’s summary says that when there’s a reasonable chance that somebody could use that piece of data to identify an individual, then it’s considered personal data,” Wallach says.
“That reasonable opportunity might well be a friend working with the police for instance, who has got access to that type of database.”
For companies such as Sofico that operate fleet software, contractual agreements between all who handle the data must be devised. “That means that data controllers – so our customers in this case, the fleet operators, fleet companies and leasing companies – need clear contractual relationships with any of their data processors, including hosting companies,” Wallach says.
It is not inconceivable that the increased legal hurdles may, for many companies, impact prices for the end user. “It’s certainly not going to reduce costs, but there may be some value in properly specifying data capture, processing, retention and disposal,” Wallach says, adding that while the contractual nature of the industry may prevent costs rising, online companies in other areas may see increased hurdles.
“Free services on the internet will probably suffer the most, because where they were able in the past to compensate for the cost by using all kinds of advertising and profiling, that’s going to be a lot more difficult in the future,” he says.
Speed of service is one factor which may necessarily suffer as possessing demonstrable GDPR compliance is required. “It’s going to add some time to that,” says Wallach.
“The GDPR has inverted the reasoning: All of a sudden, the controller and the processor are now supposed to demonstrate compliance, under the accountability principle of GDPR Article 5,” Wallach adds.
“When they come knocking at the door and you cannot demonstrate your compliance, you’re likely to get into trouble with the data protection authority and you could ultimately be fined.”