Session 1. Asset Management and Risk Control Forum. bvrla.co.uk

Transcription

1 Session 1 Asset Management and Risk Control Forum

2 GDPR Threat or Opportunity? BVRLA Asset Management & Risk Control Forum 19 April 2018

3 Introduction Personal data is an invaluable asset and many organisations rely on their ability to collect and process it in order to operate their business. The GDPR will apply to the processing of personal data by both data controllers and data processors. The new measures include increased accountability and a requirement on organisations to take a more proactive approach to data protection compliance.

4 Overview of the Legislative Changes Introduces significant new compliance obligations for businesses Applies directly to processors as well as to controllers Provides major new investigation and enforcement powers to regulators, including: mandatory audit rights over private sector businesses significant fines for serious breaches up to 4% annual worldwide turnover Data subject claims, including class action style rights More likely to come to regulator s attention e.g. mandatory breach notification

5 Key Changes Broader definition of personal data Transparency Data processing must be fair, lawful and more transparent, clearer privacy notices for example Accountability Don t just comply, show how you comply Legal basis for processing What basis do you rely on and do you need consent? Privacy by design Review what data is kept and minimise it Access rights and right to object and be forgotten Data portability

6 Fair and Lawful International Purposes Security 8 data protection principles Adequacy Rights Accuracy Retention

7 Explicit consent the last resort Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract Processing is necessary for compliance with a legal obligation Necessary for the purposes of legitimate interests Signing a Rental Agreement/Booking a Vehicle Entering a lease agreement Entering a leasing broker service contract

8 Marketing Prospect customers How did you obtain consent in the first place? Do you need to re-consent? What do you need to do going forward? We would like to send you information about our services, special offers and the latest information from (insert rental company name) by , post, SMS, phone and other electronic means. We ll always treat your details with the utmost care and will never sell them to other companies for marketing purposes.

9 RISC Does your rental agreement reference RISC? Do you alert customers to the use of RISC BVRLA s risk management tool? Are your staff aware of the correct procedure for data subject access requests? Data Controller: right to be forgotten/erased if data is not processed correctly Local Do-not-rent lists

10 Right to Erasure When does the right to erasure apply? Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. When the individual withdraws consent. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR). The personal data has to be erased in order to comply with a legal obligation Not an absolute right to be forgotten

11 During the Lease and for Renewal What about contacting customers in life: servicing, vehicle recalls and MOTs etc? Employer should seek permission from employees as part of the company car arrangement If direct with the customer ensure it is covered by the contract

12 Penalties and Notices Statutory obligation or breach of contract BE TRANSPARENT Impacts on how long data is kept once the rental/lease is finished PCNs can be issued up to 6 months after the offence was committed

13 Data portability The right to data portability only applies: to personal data an individual has provided to a controller where the processing is based on the individual s consent or for the performance of a contract; and when processing is carried out by automated means. (not paper files) Data must be provided in a structured, commonly used and machine readable form within one month of the request.

14 Practical considerations Policy & procedure to respond to these requests Do you make the customer aware of their right to data portability? If sending to a competitor ensure only personal data is provided validate no commercially sensitive is included What data is deleted?

15 Data in Vehicles and Trackers End of contract and disposal procedures Data in the cloud Courtesy vehicles Make customer aware of the risks If a rental vehicle has tracker do you inform the customer?

16 CCTV Subject access requests Retention periods Advising of the existence

17 Paper and personal data Do you have a clear desk policy in your office or branch? How are credit card details stored? What about staff notebooks? Locking workstations Automatic time-outs on systems with personal data

18 Link to FCA FCA and data protection compliance closely linked Data Protection Impact Assessments not necessarily needed BUT Given the FCA requirements for documenting your processes and procedures might be good practice Guidance from ICO available on what one looks like? Data Protection Officer - not necessarily needed BUT.. Someone senior with the organisation should take responsibility

19 So what now. Have you considered: What personal data you collect? Do you control it or only process it? Why do you have the data? Consent, contract, legitimate interest How long do you keep the data? How secure is the storage of it? Who do you share it with and why?