GDPR is just around the corner. What does it mean for you?

Transcription

1 GDPR is just around the corner What does it mean for you?

2 Your guide to the GDPR The General Data Protection Regulation (or the GDPR for short) is a piece of EU regulation that comes into force on 25 May 2018 which intends to bring data protection regulation up to date. Since the launch of the Data Protection Act 1998, the technology landscape has changed dramatically and data is being used now in many more ways than it has been previously. You ve probably heard a lot about the GDPR in the news, the trade press, and from your suppliers. Here at Close Brothers Motor Finance, we re keen to let you know what it means for you, your relationship with us, and our relationship with our customers. Contents The GDPR an overview What does the GDPR mean for you? Privacy notices Customer consent FAQs Key terms glossary Close Brothers Motor Finance

3 Summary What do you need to do? Training You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. Data collection and storage You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. You can keep customer data for a period of time that is deemed relevant to the relationship you have. It will be important to tell the customer how long you will keep it and have a process to remove after these defined points. Think about how you store customer data. Check that you are keeping it secure, whether electronically or in hard copy. This also gives you an opportunity to reduce duplicate or old data you no longer need to hold. We (Close Brothers Motor Finance) collect data to make a credit decision and to provide finance, the customer needs to know what this entails and what we will do with their data this is all in our updated privacy notice. Customer privacy and consent You should review your current privacy notices and put a plan in place for making any necessary changes in time for the GDPR implementation. Make sure your privacy notice tells the customer why you re capturing their data and what you intend to do with it. After 25 May, we will only accept manual proposals on our own manual proposal forms. The GDPR is just around the corner: What does it mean for you? 3

4 The GDPR An overview What is the GDPR? The General Data Protection Regulation (or GDPR for short) is a piece of EU regulation that comes into force on 25 May 2018 which intends to update data protection law. It will apply to the UK even after we leave the EU through Brexit. Since the launch of the Data Protection Act 1998, the technology landscape has changed dramatically and data is now being used in new and innovative ways that the existing law did not account for, so it s important that the rules around data are brought up to date. The GDPR is designed to protect and strengthen an individual s personal data rights and reshape how we approach data privacy. Who does it apply to? Who are the ICO? What does it mean for us? They have produced lots of information about the GDPR, all of which can be found on their website: The GDPR affects any organisation or individual which holds or processes personal data. It also gives new rights and more control over how an individual s information is used and shared. Close Brothers Motor Finance as a finance provider and you as a dealer partner or broker are both Data Controllers. That means that we are both responsible for ensuring we comply with the new legislation in our own businesses. We each have our own responsibilities to ensure we are doing the right thing for our customers and there are certain changes we must make. The ICO (Information Commissioner s Office) are an independent body set up to uphold information rights in the UK and ensure that organisations abide by Data Protection laws. 25 May 4 Close Brothers Motor Finance These changes come into effect on 25 May 2018; you might notice that our agreements and consent requirements will change just before this date.

5 What does the GDPR mean for you? Training First of all, it s important that you and your team understand what the GDPR is. To promote best practice, you should train all of your staff about the principles of the GDPR so that they understand the importance of protecting individuals data. Training is also one of the first things that the ICO might ask about if they were to investigate your business, so make sure you keep a record of any training you provide to your team. Data collection and storage The GDPR sets out how we keep personal data and what we can and can t do with it. For example, data must be collected for specified, explicit and legitimate purposes. It is important to ensure that information is not captured without reason and that the individual knows how and where their data will be used. Under the GDPR, you can still retain customer data, however you cannot retain personal data for any longer than is necessary, so if you do want to hold on to it, you need to have a valid reason for doing so. If for example, someone buys a vehicle from you, together with a service plan, then you have a legitimate reason to keep their data as they will be returning to you on a regular basis for their services. However, if someone fills in a web enquiry form, but doesn t visit the dealership or convert into a sale, you should only retain this for a shorter period of time before deleting. You need to maintain a log of the types of personal information you store, and why you maintain it. This may be for purposes such as marketing to prospects, marketing services to existing customers, or providing warranty coverage. Data security The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. You should think about who has access to your systems and paper files, and put controls in place where necessary to ensure that only individuals who have a need to access the data can do so. You should not allow people from outside of your business to have access to any personal information that you hold, unless you have a contract in place with them, and the individual has been made aware of and agreed to their data being shared in such a way. You collect customer data for a number of reasons and it can take place well in advance of submitting a finance application to us, right back to the enquiry stage. You should think about the different ways you capture personal data: it could be online, over the phone, on , or face to face. The GDPR is just around the corner: What does it mean for you? 5

6 Privacy Notices Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the GDPR. The most common way to provide information about how you will use an individual s personal data is in the form of a privacy notice. Most companies already have a privacy notice, but there may be some changes required under the GDPR. One of the first principles of data protection is that personal data must be processed fairly and lawfully. In order for processing to be fair, the data controller (you regarding the sale of a car, and separately us regarding finance for the vehicle) must make certain information available to the data subjects (customers). That information is: w ho the data controller is; t he purpose or purposes for which the information will be processed; who the data is shared with; and t he data retention period; a ny further information which is necessary for the specific circumstances to enable the processing to be fair. This applies whether the personal data was obtained directly from the individuals or from other sources. Information you provide to people about how you process their data must be: c oncise, transparent, intelligible and easily accessible; w ritten in clear and plain language and f ree of charge. You must provide privacy information to the individuals at the time you collect their personal data from them. 6 Close Brothers Motor Finance So, what should you do? If you don t have a privacy notice already, then you should create one. It should be easy to understand, and explain what you do with their data and why. If you do have one already, make sure you check through it to ensure that it s easy to understand and covers any activity that you ll be using the customers data in. If you do not yet have a privacy notice, or want to confirm it is fit for purpose going forward, take a look at the guidance available on the For Organisations link on What are we doing? In keeping with the above, we re making some changes to our own privacy notice to ensure we re following the guidelines that have been published. You ll probably be familiar with our privacy notice which appears when you process an application and submit it to us if you ve used the Ask Close/Showroom proposal system. It also appears on our manual proposal forms.

7 Our privacy notices How it appears on the manual proposal form How it appears in Showroom We have updated our privacy notice which now goes into much more detail about how we process customer data and why. Before 25 May, you ll see our privacy notice change. The updated manual proposal form pads will be available through your Account Manager. 25 May From 25 May, we will no longer accept proposals on the old proposal form containing our old privacy notice. It is imperative that the customer has an opportunity to read our privacy notice before you submit the application to us. Please destroy any of the old manual proposal forms, and make sure you order the new ones in plenty of time before 25 May. We also will no longer accept any manual proposals on anything other than the approved Close Brothers Motor Finance proposal forms. What should you do if the customer isn t present? If arranging an application over the phone, or a customer is making a remote purchase, then you need to explain the key points from the privacy notice to the customer. These are as follows: Purposes for which Close Brothers Motor Finance use the customer s personal data: To conduct a credit check via a Credit Reference Agency; To verify the customer s identity, assess their suitability for the products and services that they have requested, and decide whether to enter into an agreement with them; To manage, administer and take decisions regarding their agreement; Where necessary for our legitimate business interests (improving customer service, market research, quality assurance etc.) and; To meet our legal and regulatory obligations. Exchange of information with credit reference agencies (CRAIN) If the customer would like to read more about how their information will be used by our credit reference agency, they can do so at What is CRAIN? CRAIN stands for Credit Reference Agency Information Notice. It is the joint privacy notice for the credit reference agencies (Experian, Call Credit etc.). It s something that we need to make the customer aware of and advise them on how they can access it. We ve got the URL in our privacy notices (as above), and you should make sure the customers are aware of their right to access this. The GDPR is just around the corner: What does it mean for you? 7

8 Consent What is consent? Consent means offering individuals real choice and control over their personal data and how it is used. If consent is done properly, it should put individuals in charge, build customer trust and engagement and enhance reputation. The GDPR sets a high standard for how individuals can consent to their data being used. It must be unambiguous and involve a clear and affirmative action. It specifically bans pre-ticked opt-in boxes. Consent is one of the six lawful reasons (or bases) for processing personal data that you can use under the GDPR. The requirement to have a lawful basis is not new; it just replaces the conditions for processing from the Data Protection Act. You can find more information about lawful basis here: Consent doesn t last forever, but there aren t any set limits so provided you have a valid reason for maintaining that customer information (i.e. they re a current customer), then you can class that information as active and continue to use it. What do you need to do? The key here is to make sure that you understand what personal data you collect and what for, or why you use it. You might not always need to gain consent if you have other lawful bases for collecting the data. For example, we re not asking customers to consent to us using their data for the purposes of a finance application, because we re covered by contract and legitimate interest bases we must process that data in order to fulfil a contract. Direct marketing to individuals who are not your customers generally requires the individuals to have consented to hearing from you in the channel used (i.e., , SMS, phone, post) and about the type of product or service you are marketing. This means any web enquiry forms on your website and other ways of identifying leads will need to be reviewed to confirm appropriate consent language is in place. Check the ICO website for further guidance on consent language. You may be able to market to existing customers without explicit consent, if you are marketing related products or services to those already purchased, the individuals have an opportunity to opt out of future communications, and you stop marketing to anyone who does opt out. You can no longer use customer data from Showroom/Ask Close for your own marketing activities or to contact customers 8 Close Brothers Motor Finance

9 What are Close Brothers Motor Finance doing? We want to be transparent with the customer about what they re providing their consent for and when, and so we ve made some changes to our processes. Electronic Signature eclick We re introducing two new tick boxes as part of the customer signature journey that looks like this: Wet signature We ve added the same consent boxes to our wet signature agreement documents too. This is going to allow our customers to decide what information they receive from us. Neither of the boxes will be populated, so the customer has the option to tick either box, both or none, as they prefer. The GDPR is just around the corner: What does it mean for you? 9

10 FAQs What about your ICO registration? Most data controllers are required to register annually with the ICO. For further information on ICO registration and to understand if you should be registered, you can visit their website. self-assessment/ Where can you find out more information about the GDPR in general? The best place to start is the Information Commissioner s Office (ICO) website. They have produced a guide to the 12 things you need to think about right now, and a Getting Ready for the GDPR checklist, along with plenty of background information about the new regulation. Can you still use your customers data to market to them? Yes provided you have a lawful basis according to the GDPR. You can find more information about lawful bases here; What does the GDPR say about what your privacy notice should contain? Who the data controller is; The purpose or purposes for which the information will be processed; The data retention period; Who the data is shared with; and Any further information which is necessary for the specific circumstances to enable the processing to be fair. This applies whether the personal data was obtained directly from the customer, or from other sources. Information you provide to people about how you process their data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language and free of charge. What about business customers? If an individual can be identified by the data you hold, regardless of whether they are associated with a Limited Company or not, this data is classed as PII under the GDPR, and the processing principles in this document apply. One change you need to be aware of is that from 25 May you will no longer be able to use data from our systems (Showroom/Ask Close) to market to your customers. 10 Close Brothers Motor Finance

11 Glossary Consent Consent is any freely-given, specific and informed indication of wishes by which the Data Subject agrees to their personal data being processed. This can be achieved by a customer opting-in to receiving marketing material from you or associated third parties. CRAIN The CRAIN is the Credit Reference Agency Information Notice the privacy notice for our credit reference agency/agencies. Customers must have access to this if requested before sending their personal information on to the credit reference agency. Data controller A controller determines how and why personal data is collected and processed. Data controllers will usually be organisations, but can be individuals. If you or your business are a controller, you are not relieved of your obligations where a processor is involved the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. Data processor A processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. Data subject A data subject is a living individual to whom personal data relates. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others. DPA The Data Protection Act (DPA) controls how your personal information is used by organisations, businesses or the government. The GDPR will replace the Data Protection Act. ICO Stands for Information Commissioner s Office. The UK s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. PII PII is Personally Identifiable Information. As described in the regulation, it is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly by something such as a name, ID number, location data or online identifier. Essentially this means that PII is anything like customer name, address, address, vehicle registration, credit card number, VIN/VRN etc. It s any piece of information that exclusively or when used in conjunction with other information, could allow you to identify a unique individual Privacy policy A privacy policy is a publicly available document that outlines a company s intentions concerning personal data storage and use. DPO A DPO (Data Protection Officer) is someone appointed to a business to monitor internal compliance with the GDPR and provide advice regarding Data Protection Impact Assessments. To understand whether you need to appoint a DPO, visit the ICO website. The GDPR is just around the corner: What does it mean for you? 11

12 Call us on Call your local branch Visit closemotorfinance.co.uk/dealer Visit closemotorfinance.co.uk/dealer/gdpr Close Brothers Motor Finance Close Brothers Motor Finance Roman House, Roman Road, Doncaster, DN4 5EZ Roman House, Roman Road, Doncaster, DN4 5EZ Showroom User Guide - February 2018 The information contained in this guide is for general information purposes only. The information is provided by Close Brothers Motor Finance, and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability or availability with respect to the guide or the information, products, services, or related graphics contained in the guide for any purpose. Any reliance you place on such information is therefore strictly at your own risk. You should seek independent legal advice if you are in any doubt as to your own legal obligations. In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this guide. Please make sure you are using the most up to date version of this guide if you are in any doubt; please speak to your Account Manager. Please make sure you destroy any previous version of this guidance whether in hard copy or stored electronically. You should not copy, share or reproduce the contents of this guide other than for your own use. Close Brothers Limited does not accept any responsibility to any unconnected third party in the event that its contents are reproduced or relied upon as legal advice in any way. Close Brothers Motor Finance is a trading style of Close Brothers Limited ( CBL ), a subsidiary of Close Brothers Group plc. CBL is registered in England and Wales with company number and registered office at 10 Crown Place, London EC2A 4FT. Close Brothers Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Firm reference number