Automotive Retailing & Distribution - International. Dealer IT, Internet & Business Processes. Briefing No March

Transcription

1 Automotive Retailing & Distribution - International Sales Service , Internet & Business Processes For For use use only only by by Subscribers Subscribers to to the the Woods Woods & Seaton Seaton Information Information Service Service Briefing No March This Briefing covers three developments, two related mainly to Europe and one to the USA. Our next publication is scheduled to review the current status and direction of Cox Automotive, the most interesting multi-national DSP at this time and potentially - at least in some key areas - a game changer. The information gathering for this is in progress and will take some time. We will send out a note when it is ready. Topic... Region affected 1. EU Data Privacy extensions... GDPR - General Data Protection Regulation - Europe... and wider 2. 3rd Party integrations with CDK and R&R The long-term argument is heading towards the courts - USA 3. OEMs in the UK recognising a DMS provider new to the market But the DSP has not yet announced its entry! - UK 1. GDPR - General Data Protection Regulation - implications for The most productive people in the EU bureaucracy, its lawyers, have been busy again in the area of Data Protection, with a new regulation - GDPR - which all affected parties must implement by 25. May, which is almost tomorrow for already stretched system developers. It will not only affect system providers and users in Europe, but those outside who exchange Data with the EU or DSPs operating in Europe but with systems located in a Cloud outside the EU. In the Automotive sector, which is a frequent target for lawyers when it is considered to have broken a regulation, it has a significant impact on a range of systems which handle Customer and Prospect Data, including the DMS, CRM and Web sites... anywhere a person enters personal details. A layman s view of its demands is attached as an Appendix. For precise legal interpretation of GDPR, a wellinformed lawyer should be approached - although even some of them appear to be not yet totally clear about how it should be interpreted and implemented by DSPs. In outline... DSPs whose systems handle Personal Data will need to adapt their software to include... Full details of the permissions obtained by system users from their Customers and Prospects, for storing, processing and sharing with 3rd Parties (e.g. OEMs), the personal Data provided during transactions and any other form of contact. Formal confirmation that permissions for each element were given in writing, not only verbally, including the timescale for which the permissions will remain valid. Appropriate Data Encryption, to minimise the risk of misuse if there is a Data Breach. Controls to prevent Data leakages, e.g. to Sales people s Pads or Laptops for use outside the secure environment, e.g. when visiting Customers off-site. Woods & Seaton 2017 Tel. 44 (0) mike@woods-seaton.com Web:

2 Automotive Retailing & Distribution - & Business Processes Briefing Page 2 An Audit Trail of all contacts with the Customers & Prospects, including their requests under GDPR, e.g. for some or all of their Data to be erased or given to them under portability rules. It is necessary to cover all methods of Data collection, including the Internet, call centres and paper. DSPs Software will also need to provide facilities for satisfying an individual person s... "right to be forgotten", right to erasure and... "right to data portability"... i.e. the right of individuals to obtain and reuse their personal data for their own purposes, allowing them to move, copy or transfer personal data easily from one environment to another safely and securely, without hindrance to usability. (The implications of this need clarification!) It also appears that... Where a DSP s systems provide Data to a 3rd Party s systems, the DSP will need... A formal agreement under which the 3rd Party is committed to protecting the Data they receive in compliance with GDPR. Equally, when a DSP s systems receive Data from a 3rd Party they will need... A formal agreement committing them to protecting the Data they receive in compliance with GDPR. Note: OEMs will have similar concerns about transferring Customer Data to s systems. This includes Sales Leads, obtained on-line, via call centres or other contacts, which are passed to s for action. s will need to be sure that OEMs have obtained the necessary permissions and OEMs will need to be sure that s systems and Data Protection processes are compliant. Comment The clearest fact about GDPR is that it adds a layer of complication to (and OEM) and to the processes which s will need to implement and manage precisely. Another clear fact at present is that the correct and precise interpretation of the (still evolving) regulation is not clear to many of the affected participants. The development work involved will be substantial for many DSPs. This is expected to become a major topic in in the period to May and afterwards. The EU s Data Protection authority, and hungry lawyers, will be looking for any breaches of the GDPR. It is not unreasonable to question whether the EU is (once again?) implementing excessively demanding legislation which has a major impact on the ability of businesses to function efficiently. The Appendix provides a more detailed view of the legislation and its implications. 2. 3rd Party integrations with CDK and R&R in the USA The long-term argument is heading towards the courts For almost a decade the issue of integrating 3rd Party systems with the DMS of the two dominant DMS providers in the USA has been evolving. It has been covered frequently in our Briefings. During the past year it has become increasingly heated as 3rd Parties, including Specialist DSPs, have claimed that CDK and Reynolds & Reynolds have been increasing their charges for integrations and, in some cases, making it very difficult for them to gain access to s Data which the s want them to have and use to support their business operations. Recently the first of what some local observers expect to be several legal cases was announced, with Motor Vehicle Software Corporation (MVSC), which provides electronic vehicle registration services to s and State governments, suing CDK Global, Reynolds and Reynolds and one of their joint ventures, CVR - which also provides registration services, for engaging in antitrust practices.

3 Automotive Retailing & Distribution - & Business Processes Briefing Page 3 MVSC needs access to s DMS data to register the vehicles they sell, and claims that CDK and R&R are restricting that access because they want their competing CVR services to be used. Comment This case is being covered in detail by local automotive journals, including Automotive News, and by The Banks Report - see No further comment on it is relevant here. However, it is unlikely that Integrations are an issue which will quietly go away. They are a key factor in the businesses of s and OEMs, to whom a smoothly functioning two-way Data chain is essential - with the 3rd Parties also involved. 3. OEMs in the UK recognising a DMS provider new to the market But the DSP has not yet announced its entry! An amusing situation has arisen in which a DSP operating in Europe and currently making an entry into the UK is not yet ready to announce that fact publicly, but two OEMs which endorse its systems in other countries have informed their UK s that they are also endorsing it for the UK. A formal announcement by the DSP is expected very soon. However, there is little doubt that its competitors know who it is... one has already lost a customer to the newcomer. Comment The UK market has been dominated for several years by CDK with its Autoline DMS, with Reynolds & Reynolds and Pinewood - the largest local player - sharing most of the rest of the market. There have been indications in the market that s and OEMs would welcome additional strong competitors... hence the speed with which two OEMs have endorsed the newcomer. Others may follow. However, the UK with its numerous publicly-owned large-scale, multi-brand Groups, is not an easy market to penetrate. The coming 2 or 3 years should be interesting. * * * * * Your queries, comments, suggestions, disagreements and chats continue to be welcome. Mike & Jo The Data Privacy Appendix, provided by our long-standing colleague, Mike Russell-Carter, follows on the next page. Our Subscriber Community Our Briefings, Reviews and Analyses are intended for reference only by our Subscribers direct employees in the region(s) covered by their subscription. We request that copies are not supplied to outsiders who are not Subscribers without our prior written agreement via . Our thanks to you all for your help in this.

4 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 1 GENERAL DATA PROTECTION REGULATION (GDPR) THE NEW EU DATA PROTECTION / PRIVACY LAWS (2018) Forword The following paper does not constitute legal advice and should not to be acted on as such by Woods & Seaton subscribers or any others who may read it. It is included with Briefing for general information and guidance only. Woods & Seaton are not responsible for errors and / or omissions in this summary of the revised and enhanced Data Protection Legislation (GDPR) which from May 2018 will become effective throughout the EU and EEA. It will also affect those outside the EU / EEA who process personal data received from, and sent to, these areas. Avoiding the pitfalls Introduction. A large amount of information about the GDPR already exists in the public domain (most of it accessible on the Internet) and this paper does not seek to repeat that. It is intended as a prompt and a reminder that, whatever its size or type, nearly every business enterprise is affected by the new legislation and is required to adopt and observe the new rules from May The simple observance / continuation of a Data Protection regime, approved under the current regulations, will not be adequate after the GDPR becomes effective. A strengthened process of external audit and penalties for infringements is promised. As a large employer of labour, and the holder of a wide range of personal customer databases, the retail automotive sector cannot risk delaying reviewing the implications for their own organisations. 1. Overview. The General Data Protection Regulation (GDPR) is an EU-sponsored Regulation by which the European Parliament, the European Council and the European Commission intend to: Strengthen and unify data protection for individuals within the European Union (EU) and the associated European Economic Area (EEA)**. It also covers the export of personal data outside these areas. The primary objectives of the GDPR are to give citizens a greater and more effective control of their personal data and to simplify the regulatory environment for international business by unifying the regulation across the entire EU / EEA bloc. In short, to very significantly upgrade the existing laws. When the GDPR takes effect it will replace the previous Data Protection Directive issued in The new Regulation was adopted on 27 April It becomes law on 25 May 2018 after a two-year transition period and, unlike the Directive (which it replaces), it does not require further enabling legislation to be passed by member state national governments. ** The EEA includes: Iceland, Liechtenstein and Norway. Switzerland also observes the same rules. Note on the UK: The eventual outcome of the Brexit negotiations is considered unlikely to influence the UK s unilateral adoption of the GDPR obligations. As EU members in May 2018, the UK s adoption would be mandatory anyway. As a future trading partner with the EU it would be unwise to adopt a new or different Data Protection regulation which could further and unnecessarily jeopardise the coming trade negotiations within the overall Brexit programme. 2. The Present Situation EU and EEA. The existing Data Protection / Data Privacy laws are closely based on, and date back to, the EU Directive adopted across the EU and EEA in1995. Various small amendments have occurred along the way, but today s EU standard DP rules are now well established.

5 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 3 Initially individual member states were required to include the Directive into their national legislation. For example, in the UK the eight Data Protection Principles** (see box below) resulted in the 1998 Data Protection Act, which replaced the previous Act of Other countries, including more recent EU members, followed the same process to establish commonality across the entire bloc. Existing practice dictates that personal data may be transferred / processed across EU national borders with the confidence that it will be treated in the same way as in the originating country. **The 1998 Data Protection Act The Data Protection Act controls how personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called data protection principles. They must make sure the information is: used fairly and lawfully used for limited, specifically stated purposes used in a way that is adequate, relevant and not excessive accurate kept for no longer than is absolutely necessary handled according to people s data protection rights kept safe and secure not transferred outside the EU / European Economic Area without adequate protection. 2.2 Cross National Boundary (Personal) Data Transactions beyond EU / EEA. Many countries trading in, or with, the West have adopted Data Protection principles based partly, or mainly, on those adopted by the EU / EEA. Unfortunately, so far there are no internationally agreed protocols, and organisations wishing to transfer personal data to locations in countries beyond their own national borders are strongly advised to seek professional advice to avoid possible (and expensive) claims for damages from either individuals or state enforcement agencies. Canada is widely regarded as compliant with European Data Privacy laws. Whilst this may be so, it would be wise for any EU / EEA business involved in personal information exchanges with a Canadian organisation to verify the legal position at the time. The USA. In a country regarded by many as the natural home of commercial and personal litigation, the DP position is considerably more complex. There is some high level Federal law mainly administered on behalf of the US Government by The Federal Trade Commission (FTC). Much of this is very specific and does not create the widespread DP awareness which exists in Europe. Many US states have legislation creating stronger protection of personal information than federal law requires. Each state in the union has its own constitution, but whilst only ten of these include an explicit right of privacy, almost all states now have laws that address the individual s interest in knowing whether the security of their data has been compromised. Some state privacy laws apply to all industry sectors and all types of personal data; others bridge gaps in federal DP law exposed by historic litigation. California is cited as a state exerting one of the most comprehensive and demanding DP regimes. One effect of these state laws is to complicate efforts by other countries to evaluate Data Protection in the US. Inevitably, the potential exposure in making cross border (personal) data transfers should be reviewed by qualified professionals before doing so. This extract from a 2016 paper on Data Privacy law by Paris-based commercial lawyer Noelle Lenoir makes interesting reading:

6 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 4 History goes some way to explaining the different approaches to security, and more generally to data protection, on either side of the Atlantic. Different from the countries of continental Europe, the United States has never experienced dictatorship, from which comes the European sensitivity to privacy in relation to both their lives and their personal data. In addition, two recent events have strengthened Europe s will to ensure data protection anywhere in the world. The first is the Treaty of Lisbon and its EU Charter of Fundamental Rights. Previously, the European Data Protection Directive (which continues to apply until 2018) was based on the single market and the need to ensure the free movement of data within it. Data protection is now part of the Charter as a fundamental EU right. The second is the case of Edward Snowden, a former NSA (National Security Agency) contractor who leaked millions of items of classified information in a bid to reveal the Agency s global surveillance programme to the world. A few years ago, Snowden would simply have been considered a traitor to his country. Today, for some people at least, he is almost a god, legitimately entitled to give the US government lessons in democracy from Russia where he has sought asylum. The echo found by Snowden s actions in both public opinion and the European Parliament has translated directly into the decisions made by the European Court of Justice (ECJ) Europe s court of last resort and consequently an influence to be reckoned with. These decisions, and in particular the Google Spain and Weltimmo rulings of 14 May 2014 and 1 October 2015, make it clear that all data (including banking information) relating to EU citizens that is processed or stored in the United States is protected under EU law if the operator has an establishment in the European Union. This is confirmed in the forthcoming General Data Protection Regulation (GDPR) set to replace the 1995 directive in It specifies that, as far as commercial operations are concerned, the applicability of European legislation will be decided not in relation to the place where data is processed but rather whether or not the individuals whose data is being processed are resident in the EU. Clearer still is the Schrems ruling of 6 October 2015 named after the Austrian law student and disciple of Snowden who brought the case - by which the European Court of Justice quashed the European Commission s decision on the US / EU Safe Harbor agreement. This made all data transfers under its provisions illegal with immediate effect, on the grounds that it allowed US authorities to access the data stored in the United States by Internet companies such as Facebook, in breach of European data protection law. The fact that certain US operators (Google, Facebook, Microsoft, etc.) have now set up clouds in Europe is not unrelated to their desire to reassure European consumers whilst at the same time ensuring they do not lose out to European operators who have been quick to make a move into the US market where, they claim, data security is less rigorous. 2.3 Interim Summary (see also paragraph 5) a) The Basics. The General Data Protection Regulation (GDPR) becomes effective EU / EEA wide on 25 th May It will replace existing Data Privacy Legislation and will be common across all Member States irrespective of national boundaries within the bloc. b) Implementation and observance will apply to all businesses and any other organisations holding and / or processing personal data on individuals. c) A keystone in assessing observance will be that individuals whose data is legitimately held or processed have understood fully, and given unambiguous consent for, the holding and processing (also transmission) of their data for purposes which are themselves unambiguous.

7 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 5 d) Organisations that are not home-based within the EU / EEA, but have Subsidiary companies or Branches in those countries, will be required to comply with the Regulation which will cover the European states where they operate. Typically this may affect the intended transmission of personal information from within the EU / EEA boundaries to any location including distant Head Offices or remote Partner organisations, irrespective of the DP regime that may exist in the remote location. In particular, the rapid adoption of Cloud technology, will inevitably affect the operation of customer / client databases currently accessible, and processed, from global locations far from the EU. Note: Beyond the closing comments in the extract from Noelle Lenoir s Paper (see above) it is reported that other global organisations are already setting up / enhancing separate, formally EU-based, business operations to be able to comply with the requirements of the GDPR with least difficulty. Even so, for those with large scale international networks, being able to demonstrate GDPR compliance will doubtless require noticeable infrastructure planning and investment. The proposed penalties for breaches of the new rules will be painful. 4. The GDPR. 4.1 Under the GDPR, the data protection principles define the main responsibilities for organisations. The broad principles are similar to those already in force across the EU / EEA with added detail at certain points and a new accountability requirement. It would be unwise to assume that compliance with the 1995 Directive / 1998 DP law will be enough for this purpose. The most significant addition is the accountability principle. The GDPR requires an organisation to show how it complies with the principles - for example by documenting the decisions taken about a processing activity. In particular, Article 5 of the GDPR requires that personal data shall be: a) Processed lawfully, fairly and in a transparent manner in relation to individuals. b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. (c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals. f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Source ICO UK. Critically, Article 5(para. 2) requires that: The controller** shall be responsible for, and be able to demonstrate, compliance with the principles. **See definition(s) in 4.2 below.

8 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 6 Compliance with the GDPR is the responsibility of the EU s European Data Protection Supervisor s (EDPS) office in Brussels in conjunction with the associated Article 29 Working Party. For reasons explained earlier, although this looks like a further heavyweight example of Brussels Bureaucracy, it is unlikely that in practical terms Brexit will offer an escape route for the UK. Further, and inevitably, all Data Protection authorities in non EU countries will need to maintain close and ongoing liaisons with the EDPS and its policies in order to develop and maintain GDPR compliance and good future trade relations across the EU / EEA bloc Note 1: Representatives from the national Information Commissioner s offices in many non EU countries are currently members (or observers) of the Article 29 Working Party and where this organisation now leads it seems likely most will be obliged to follow Note 2: Big Data. A Statement by the EDPS. The term Big Data implies large amounts of different types of data produced at high speed from multiple sources, requiring new and more powerful processors and algorithms to process and to analyse. These practices and technologies could offer major benefits for economic growth in various sectors including energy, transportation and health. Not all of this information is personal, but businesses and governments are more and more using big data to understand, predict and shape human behaviour. Big data is therefore a long term strategic concern for data protection and privacy regulators. It puts strain not only on privacy and data protection, but other fundamental rights including freedom of expression and non-discrimination. There is a need to find new ways of realising principles and values, of shaping but not stopping technologies which promise benefits for individuals and society at large. Through a series of Opinions and other initiatives, the EDPS has been developing the concept of Big Data Protection, which includes but goes beyond, modern and simple-to-implement laws. Source: EDPS (Brussels) 4.2 Compliance is the Key Issue. For many / most organisations and businesses in the Automotive sector who have long ago instituted their own processes and procedures to comply with the EU Directive 20 years old, much of the GDPR may seem slightly familiar. To assume more than that would be unwise and risk serious consequences, potentially disruptive and costly. It is strongly recommended that if a business does not yet have a formally appointed Data Controller / Data Protection Officer (most undoubtedly do) they should do so without delay. Sharing the responsibility - perhaps informally - amongst members of a management team may be not only unwise, but lead to serious breaches of the law however unintended. Someone needs to be trained and to understand sufficient about the incoming legislation to be held accountable to senior management for its compliance. As with most legal matters, in most countries there are now many professionally independent and well informed specialists available to provide detailed further support if required. For those seeking more information quickly, the Information Commissioner s offices (website) for their individual states or countries should be the first enquiry point. The following check list is a summary of some key points taken from the European Data Protection Supervisor s (EDPS) office and promulgated on the UKIC s website. See also Paragraph 5 below. Preparing for the GDPR 1. Awareness: You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. 2. Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

9 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 7 3. Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. 4. Individuals rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. 5. Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information 6. Legal basis for processing personal data: You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. 7. Consent: You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. 8. Children: You should start thinking now about putting systems in place to verify individuals ages and to gather parental or guardian consent for the data processing activity. 9. Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. 10. Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. 11. Data Protection Officers: You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation s structure and governance arrangements. 12. International: If your organisation operates internationally, you should determine which data protection supervisory authority you come under. Source: ICO.org.uk 4.2 Note 1. It is vital that a Data Subject (Employee / Customer) should have a very clear understanding and acceptance of the storing, processing and possible onward transfer of their data. This is not a new requirement under GDPR rules (it has been a part of DP law from the start), but in frequent practice has become watered down and for many, confused. The GDPR demands consistency and clarity. For example, different websites and written contracts adopt varying forms of the Opt Out / Opt in privacy requirement and many are unclear about the scope which a data subject s acceptance allows for processing beyond the current particular matter. The GDPR restricts what is often regarded as an unlimited data subject processing approval to be effective solely for the matter in hand. The effect is that multiple Approvals might be required as a part of complex transactions, or in long term supplier / customer relationships. 4.2 Note 2. As a general guideline - the original legal receiver of a subject s data is held responsible for it s security whether or when it is processed and transmitted to third parties, and must take appropriate steps to guarantee its integrity. Although third parties can be expected to treat received data with the same care as the originating processors (for example the seeking of references on a would-be finance borrower), the responsibility for the data s security remains with the organisation holding the original data subject s approval. This could lead to the requirement for several separate subject approvals in the case of multiple transmissions where the end receiver / processor of the data does not, or cannot, provide the same level of data security as the originator (first party). 4.2 Note 3. Users of CRM Marketing systems should particularly review their exposure in their interpretation of customer / contact approvals for data processing and its potential for misuse under GDPR rules by third party partners.

10 Automotive Retailing & Distribution - & Business Processes Briefing Data Protection Appendix Page 8 5. Summary & Conclusions. The GDPR becomes effective on 25 May It will cover the entire EU / EEA and will apply in the UK and its legislative dependencies (irrespective of Brexit negotiations). There is some present lack of clarity about the status of (personal) data transactions with countries outside the EU / EEA including the USA in respect of the (current) harmonisation of DP laws through the prevailing Safe Harbor agreement. This is expected to be resolved during 2017/18. Compliance: The Information Security Forum (ISF), an EU-approved Think Tank, suggests a 5 Point List aimed at achieving GDPR compliance. 1. Get privacy policies, procedures and documentation in order and keep them up to date. Data protection authorities can ask for these at any time. 2. Form a governance group that oversees all privacy activities, led by a senior manager or executive. Even in a small organisation (less than 250 staff), you are recommended to appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation s annual report. 3. Implement a breach notification process and enhance your incident management processes and your detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place; or the likelihood of harm is low. 4. Prepare your organisation to fulfil the right to be forgotten, right to erasure and the right to data portability. A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required and it should cover all mechanisms by which data is collected, including the internet, call centres and paper. 5. Create and enforce privacy throughout your systems lifecycles to meet the privacy by design requirement, whether you buy or develop. This will ensure privacy controls are stronger, simpler to implement, harder to by-pass and totally embedded in a system s core functionality Notes to the above. Right to be forgotten Right to erasure Right to Data Portability... for more details see... These are amongst particular Data Subject rights specified under the GDPR. Whilst they afford individuals some rights to change their minds and / or to seek amendments to information legally gained / offered about themselves, they are not unconditional rights and under certain circumstances an application may be legitimately declined. Privacy by Design An approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether, e.g... Building new systems for storing or accessing personal data. Developing new policy or strategies that have privacy implications. Starting on a data sharing strategy. Using data for new purposes. Note: Further details are available from national Data Protection authorities (incl. UK ICO)