Automotive insights

GDPR is coming. Is the auto sector ready?

A new data protection bill is bringing severe penalties for those who mishandle confidential information. The automotive industry needs to be vigilant.

Data protection law is changing. The new Data Protection Bill being put before Parliament will, when passed, herald the most significant change to data protection laws in the last 20 years.

The new laws, which are due to come into effect on 25th May 2018, aren’t targeted at just the big players of the business world either, but will affect businesses of all sizes1. Therefore all businesses from small dealerships through to OEMs who regularly handle vast amounts of confidential data will need to know what the bill entails and the processes they will need to have in place going forward.

How does the new data protection bill change things?

For a start, the bill aims to increase the accountability of organisations for all aspects of data protection. That means that the responsibility for collection, storage and disposal of all personal data comes down to each individual company. The bill also ushers in an exceptionally large increase in penalties for 'non-compliance', with the cap being raised from £500,000 to £17 million2.

There are many different features included in the bill, such as enhanced rights for individuals and an increased focus on record keeping. The latter will require organisations with more than 250 staff to keep and maintain registers of many processing activities, while the enhanced rights include the right to object to various forms of profiling and automated decision making.

Processing notices are also required to be more detailed under the new bill, with individuals better informed about their data protection rights and the ways in which their data is being used3. Organisations also need to formally identify privacy risks, report breaches to regulators within 72 hours of discovery and ensure that data protection is built into new systems and business processes from the design stage.

In what way does this affect the automotive industry?

It's fair to say that the updated laws and regulations surrounding data protection will affect absolutely all areas of business. Companies will need to keep a meticulous eye on the data they gather from customers, staff, and third parties at all times.

Dealerships have access to financial backgrounds as well as the addresses and contact details of customers and staff. Meanwhile, marketing departments will need to be especially careful with how they obtain consent for their activities as these consents must be explicit, freely given and easy to retract. The key facets to consider are how customers' driving records, payment profiles and other details are stored and used.

The careful use and storage of such data is critical. If this confidential data is mishandled in anyway, through poor record keeping or failing to acquire the proper consent, then the consequences could be significant. Needless to say, the new penalties are likely to be an impetus for tightening internal procedures.

If you would like to know more about how Grant Thornton can support your business prepare for the new GDPR, please contact Manu Sharma. We offer training, compliance programme reviews, recommendations for risk and control frameworks and policies, and regular data protection audits.


  1. Two Birds, The UK Government publishes the Data Protection Bill, 20 September 2017
  2. V3, GDPR: New UK Data Protection Bill exempts journalists and researchers handling personal data without consent, 14 September 2017
  3. - Government to strengthen UK data protection law

Get the latest insights, events and guidance about the automotive industry, straight to your inbox