As we approach the first anniversary of GDPR, it is an appropriate time to reflect on some of the common day-to-day compliance issues that dealerships are facing, review recent enforcement trends, and consider what further changes the coming months may bring, writes Kitty Rosser, senior associate at Birketts.
The UK’s Information Commissioner, Elizabeth Denham, has consistently emphasised that achieving genuine GDPR compliance would require long-term, ongoing action.
The GDPR compliance projects implemented by many dealerships leading up to 25 May 2018 were very much a starting point rather than a final solution, with GDPR remaining a high priority issue on management agendas.
As legal advisors, the top three types of compliance query we are seeing from motor dealer clients are:
1. In first place by some margin are enquiries relating to subject access requests. Dealerships are receiving more of them, and are struggling to respond within the shortened timeframe.
Lack of guidance around when response deadlines can be extended and when a request can be considered as “manifestly unfounded or excessive” – triggering the right to impose a fee, or even refuse the request – is a common frustration.
We advise testing and streamlining internal procedures and keeping an eye out for updated guidance from the ICO. In particular, make sure all staff can recognise a subject access request, know whom to refer it to internally, and understand they must do so immediately.
2. Taking second place are queries regarding data processing contracts. Dealerships will need to have written contracts in place containing certain mandatory data-processing clauses whenever they sub-contract any data-processing activities. We recommend becoming familiar with the ICO guidance and having a standard data-processing agreement and due diligence questionnaire ready to send out quickly when needed.
3. In third place, many dealerships are seeking guidance on when Legitimate Interests Assessments and Data Protection Impact Assessments are required, and what these should look like. The ICO has produced practical guidance and template documents for both of these, which provide an excellent starting point.
In terms of enforcement trends, the ICO has been incredibly busy in the last 12 months with the number of enforcement actions on an upward trajectory.
A significant proportion of actions continue to relate to breaches of the marketing rules. We saw a real flurry of compliance action from dealerships in this area during the pre-GDPR period, but have noted that many companies seem to be falling back into old, non-compliant habits more recently.
This is an area that dealerships need to get to grips with, particularly in light of the ICO’s new powers to impose fines of up to £500,000 against company directors and officers personally for this type of breach.
We have also seen enforcement action against companies using CCTV without displaying proper signage, fines for that which have failed to pay the annual fee to the ICO, and criminal prosecution against an individual who took details of former clients with him when beginning work for a new dealership.
While GDPR continues to feel very new, further change is on the cards in the coming months which dealerships will need to be prepared to accommodate.
It is likely that we will see a final version of the new ePrivacy Regulations shortly, along with a timetable for implementation. These will replace the marketing and cookies rules under the Privacy and Electronic Communications Regulations, and so may require dealerships to further review the legal basis for marketing activities and review their consent mechanisms and the information displayed on websites.
Inevitably, there has also been significant speculation as to the impact of Brexit. The government has been clear from the outset that the GDPR will continue to apply in full post-Brexit, so there will be no substantive change to the general standards and requirements already applicable.
However, as it is now apparent that the European Commission will not be making a formal adequacy finding recognising that the UK has EU-standard data protection laws in place before Brexit, companies based in the EU will be restricted from transferring personal data to the UK.
The ICO has produced several useful pieces of guidance and online tools. We advise any dealerships that are currently receiving personal data from companies in the EU to familiarise themselves with these sooner rather than later.
by Kitty Rosser