Although the incumbent EU General Data Protection Regulations (GDPR) is scheduled to come into effect in the springtime (May 2018), for many companies handling European data, GDPR feels like “winter is coming”. This is particularly true of the vehicle and connected car ecosystem that is concentrating hard on tackling the already complex issue of car data privacy in the quest to reach its full potential.
The road to the full blown connected car revolution has been paved (sorry, it had to be done), and it’s vital that any company in this space – providers and consumers of car data alike – take measures to ensure driver data is compliant with worldwide data protection regulations and standards, including GDPR. The changes in the GDPR will give individuals more control over their personal data and make it easier to access it. This update is an imperative step not only to avoid penalty, loss of revenue and costly system redesign, but also so that drivers can find the confidence that will enable them to both share their data freely and to benefit from the many life-saving and life-changing benefits that car data has already begun to introduce.
Although it is more than likely that most auto makers and suppliers have already taken partial measures towards compliance, securing data and its use and exchange requires an expertise all in its own. Further, as the relation between car data, its personal nature and its utilization in the car world have yet to be formalized, there are still companies that are unsure of their role in the compliance value/supply chain.
While we are seeing car OEMs considering various approaches towards achieving GDPR compliance, its high time we all get familiar with the updated key principles of the GDPR:
- Consent – The GDPR introduces reinforced conditions for consent. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Silence, pre-ticked boxes or inactivity will not be sufficient to constitute consent. Data subjects can withdraw their consent at any time, and it must be easy for them to do so.
- Accountability – The GDPR’s new concept of accountability requires businesses to be able to demonstrate compliance with the GDPR. To this end, they are required to keep detailed records of data processing activities and implement appropriate technological and organizational measures to ensure, and be able to demonstrate, that processing is performed in accordance with the GDPR.
- DPO Data Protection Officers – Article 35 of the EU Data Protection Regulation requires companies to appoint a Data Protection Officer. The DPO is the person who directs and oversees all data protection activities within a company, devises the policies and procedures that bring the organization into compliance with the Regulation, monitors the implementation of those policies, ensures that all staff are fully trained regarding data protection, assigns responsibilities and handles the public’s requests regarding their personal data. The DPO keeps management informed of data breaches and is the primary contact point for supervisory authorities.
- One-stop-Shop – The one-stop-shop mechanism will streamline cooperation between the data protection authorities on issues with implications for all of Europe. Companies will only have to deal with one authority, not 28. Businesses will profit from faster decisions, from one single point of contact and from less red tape.
- Privacy by Design – ‘Data protection by design’, now an essential element in EU data protection rules, requires that safeguards be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
- PIA – Privacy Impact Assessment calls for organizations conduct an assessment before personal data is processed. The assessment should ascertain whether there might be a detrimental impact on the rights and freedoms of the data subjects by the nature, scope or purposes of the planned processing operations.
- Data Breach means that organizations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high-risk breaches within 24 hours of discovery. A breach occurs when the integrity of data is compromised — if it is exposed to unauthorized people, is tampered with or otherwise compromised. Any delay will have to be justified.
- Enhanced rights – GDPR introduces greater consumer rights such as right to access and a right to be forgotten, right to be informed, right to rectification and the right of access. Individuals are also granted a right to object to profiling and to be subject to automated decision-making based on data profiling. This grants data subjects more control over the processing of their personal data. However, a data subject’s access request can be refused if it is manifestly unfounded or excessive, in particular because of its repetitive character.
Despite the challenge involved in complying and the threat of heavy penalty and revenue loss, we all need to keep in mind that regulations like GDPR are true enablers of progress and market differentiators that will assist in catalyzing the mind-blowing innovations that the connected car market is just beginning to roll out.