How to keep retail sales GDPR compliant for 2022 in the automotive industry
GDPR came into effect on the 25th May 2018 but so many companies are still unsure as to whether they are acting in a fully compliant manner. A lot of those companies have even been fined for failing to meet the new guidelines. According to PreciseSecurity analysis, the top GDPR fines combined amounted to a staggering $443.7 million. British Airways received one of the biggest fines of the year being charged a huge $230 million for failing to prevent and stop a cyberattack. The attack saw personal data from 500,000 customers being leaked to cybercriminals.
British Airways were fined because they had poor security arrangements which compromised the safety of their customer’s data. Many people believe GDPR is just about the way you handle the data, but it also includes your efforts to prevent it from getting into the hands of people it’s not supposed to. You must document exactly how you obtain and manage customer’s sensitive information plus how you protect it with clear evidence to prove how you’ve done this. If you don’t have the evidence then you could face a large fine.
With privacy and data laws constantly changing it’s also essential that your business moves rapidly to keep your automotive staff up to date and ensure they understand what the changes mean to them.
So who else has received GDPR fines and penalties?
Below is a list of just some of the companies who have violated GDPRs courtesy of NathanTrust:
ClickQuickNow - Breach = The right to withdraw consent
Morele - Breach = Failure to protect data
Deutsche Wohnen - Breach = Saving data from applicants and not being able to delete the data
Leave.EU & GoSkippy - Breach = Sending emails from GoSkippy to Leave.EU subscribers
Rubrik - Possible breach = Suffering a large data leak
Bisnode - Breach = Failure to fulfil its data subject rights obligations under Article 14 of the GDPR
Facebook - Possible breach = Stored hundreds of millions of user passwords insecurely
Municipality of Bergen - Breach = One file with employee’s and student’s login credentials was in the wrong place
What are the key areas to watch in the automotive industry?
If you work in the automotive industry you probably already know you are at high risk of a data breach. You collect financial information on customers, driving records, payment profiles, addresses, contact details, service workshop data, diagnostic results, trouble codes, repair data, warranty information and vehicle identification numbers. All of these need to be handled in a very careful manner. Inadequate record-keeping, failure to keep the data safe or not getting the full consent you need can result in a hefty fine. An example of where a firm unknowingly broke the law was when a german motoring organisation discovered that a huge amount of data was being captured by their car’s onboard diagnostic system. This included driving destinations and phone contacts.
How can you ensure that all of your different car dealerships are acting in a fully compliant way?
When you have multiple different outlets it can feel daunting trying to ensure that each one is acting in a fully compliant manner. Good visibility, speedy operations, thorough tracking, reporting and training are the best ways to feel confident that all of your employees are compliant. Below we have put together a few tips on how Ocasta apps (Review and Engage) can help the automotive industry stay compliant in the most efficient way possible.
Keeping policies up to date and ensuring that they are followed
A huge part of GDPR in the automotive industry is about ensuring your policies are always up to date and followed. Because of how much personal data is acquired in the industry of cars, policies need to be refined and unique. A one size fits all policy approach just won’t work. Of course, this is a lot of work when you need to make sure that thousands of your employees are following the updates. Engage’s dash has a large clickable banner which can be used to draw attention to key updates or changes. This is the perfect place to announce new policies or changes to procedures. When employees click on the banner you can make it link through to the relevant policy.
Ensuring your customer data handling policies are read and understood
Once your employees have clicked through to your policy you can set an acknowledgement which they will have to click to confirm that they have read and understood it. Most of your sales staff will be handling a lot of customer data and they will likely have to extract information from databases and save it on desktops or file servers. Therefore it can be easy for data to move from its intended location so it’s essential that they read your policies on how to handle and store it. You can set these acknowledgements to be daily, weekly, monthly or quarterly to ensure their GDPR knowledge is always fresh in their minds and you are 100% compliant.
If an employee has read and declared they have understood the policy and then does not follow your protocol, they will be liable to explain exactly why this did not happen.
Ensuring your employees understand your GDPR policies and procedures
Making sure employees read your policies and changes is one thing, but actually getting them to understand why they need to take certain actions is another. Plus trying to do this in a short space of time to keep up with the constantly changing requirements can seem near impossible.
With Engage, any GDPR policy or procedure which you upload to the platform can be repurposed for learning. Simply add questions or tasks to any compliance document which will then show up as a microlearning playlist. As employees working in car dealerships have limited time to sit at a computer the playlists have been designed so that they can jump in and out of them rather than completing the whole module. They only take 3-5 minutes to complete so when they have a quiet moment on the car showroom floor they can complete the questions on their iPad, tablet or mobile device.
A task you could set within these playlists could be to log onto their portal and ensure that any data they have moved from the previous day is either deleted if it is a duplicate or moved back to its original file.
Example of where this could have been applied in real life:
A company called Life at Parliament View was fined because they transferred personal data from their server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.
If you had a policy on switching the anonymous authentication function off but people didn’t understand it’s important they might not be as diligent when making sure this is done.
Training staff on the importance of the ‘Anonymous Authentication’ function’ should have been the main priority requiring employees to complete learning modules on the subject daily or even weekly to ensure that the knowledge of its importance was fully embedded in their mind.
Understand how data moves through your automotive business with a GDPR data map
GDPR requires you to review your data and understand it’s exact journey throughout your organisation. You should create a template report which employees can fill out when doing an audit of their customer data. The template should include;
How was the data collected?
What data was collected?
Why did you collect the data?
Where have you stored the data and who has access to it?
When will the data be disposed of?
Our reports are designed to be quick and easy, employees can quickly tap on the preformatted tiles and touch or write to select the appropriate answer. They can also add tasks for themselves or others to complete with a deadline. You will then be able to see an overview of all the aggregated data, this shows your insights so you can spot which locations or people are posing a risk or threat to your GDPR compliance.
Example of where this could have been applied in real life:
Taxa 4x35 a taxi company in Denmark is under investigation from the Data Protection Authority and could be fined $180,000 for not deleting customers’ telephone numbers. Had they carried out a proper data map on their data and realised they had no process in place for when customer telephone numbers should be deleted they would have been able to highlight the breach and handle it for the future.
Ensuring the right people see the right information
GDPR in the automotive industry is incredibly complex because different departments are responsible for handling and managing data in different ways. Because of this, you will have certain policies that you will have to limit access to. For example, a policy you have to detect and stop anyone performing bulk data transfers or using unfamiliar third-party applications on data sources will not need to be seen by sales staff you have working in your dealerships who don’t have access to large amounts of data. Engage allows you to select who can view certain policies, you can define this by location or role.
Digital retail checklists for record-keeping when obtaining customer information
GDPR requires organisations to keep records regarding their data processing activities. When a new customer buys a car your sales staff will have to take their driver’s license, proof of insurance, a form of payment, credit score and history and references.
You can use Ocasta Review to create timed and tracked digital checklists which your employees must check and go through with their customer. This helps ensure the customer is aware of what is happening with their data and you have proof of their understanding. The checklists might look like the one below:
Ensuring data is never stored on devices
A big risk for those working in the automotive industry is where customer data is stored. If your sales staff are taking photos or scans of customer information and then uploading it to a system, they have to remember to remove it from the device once it is sent or stored in the right place. There also have to be protective measures in place to prevent theft or misuse of the device which they are collecting customer data on.
Ocasta Scan allows employees to capture customer data which can be sent to the relevant places, data is then automatically deleted from the device. It never touches the camera roll meaning you can be confident that you are compliant with no breach of data protection. If an employee scans some data and leaves the device without carrying out any activities, the app will wipe the images and the staff member would have to retake them to ensure they are always secure and safe. The time of inactivity before the images are wiped is customisable so you can decide how long you think is relevant to your business.
Example of where this could have been applied in real life:
A Real Estate Company called Deutsche Wohen was fined because “personal data of tenants was stored without checking whether storage was permissible or even necessary. In some of the individual cases that were examined, it was, therefore, possible to find years-old private data from tenants that were preserved although they were no longer necessary for the purpose of their original collection.”
This data included salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements. Had the company used the scanning device it would have meant that once those documents were put in the correct folders for their purpose they wouldn’t have been stored anywhere that wasn’t safe.
Improve visibility to make sure that all of your car dealerships are on track
To make sure your employees are compliant you need to have full visibility of everything that is going on in your business. Engage’s stats dash allows you and all other employees in your business to view a combination of stats which help keep your employees on track, these include:
All GDPR audits which have been completed.
Any overdue tasks such as “Bob needs to dispose of files which are at the end of their lifecycle by the end of the day.”
Who has read your compliance articles
What learning playlists staff have completed.
You will also be able to see how compliant a location is compared to the regional average. The scores will be colour coded in red, amber or green so you can quickly see what action needs to be taken.
Alerts for when action needs to be taken fast
When you have a large number of employees trying to contact them all immediately can be an impossible task. But instant communication is essential when keeping in line with GDPR guidelines because of how vigilant you have to be. If you are aware of a company-wide threat to your data do you have a way of letting everyone know? What about if you need to give quarterly reminders of when data needs to be deleted, do you have an easy way of doing this and a way which really grabs employee’s attention even they are not at a desk?
Stay vigilant to keep compliant
There is no quick fix for GDPR it is an ongoing process which requires you to constantly track, analyse and monitor your data and processes. So many organisations are turning to digital platforms to make them feel confident that they are taking all the necessary actions to stay compliant. If you need some more help on your GDPR journey or are lacking confidence, please contact us.