With the introduction of the GDPR regulation this year, automotive dealerships are amongst the many UK businesses that have been taking a long hard look at how they collect, store, and manage data.
Dealerships have quite a challenging supply chain network with partners ranging from vehicle manufacturers, insurance partners, servicing partners to name a few. This makes it a complex environment to navigate when you include personal data and its management
into the scenario. Not only is there a need for the data-sharing processes to meet high security standards that are governed by customer consent, it also needs to ensure that supply chain partners protect the data in a way that is also fully compliant.
However, while the requirements for the GDPR are clear, many dealerships are working with legacy systems and processes that have the potential to put personal data and its security at risk. A simple review of people, processes and policies to identify areas
of weakness is a good place to start, but what else can these dealerships do?
Map where personally identifiable data is held
With new, old customer and, of course employee data, it can be difficult to keep track of what data is held and where it resides in the organisation. By conducting an in-depth analysis of your customer data, the systems that are used to store and manage it,
as well as mapping data, it’s possible to see where data flows across the dealership and partners. This can help to detect potential security vulnerabilities in systems and processes; support your effort to centralise data and delete aged or duplicated data,
to minimise risk.
Manage data for the life time of the customer
Data often needs to be shared with other supply chain partners, such as manufacturers or servicing companies. Mapping your data and data flows, it is possible to identify when and how data is typically shared with your supply chain partners. This allows
you to identify and address security gaps, such as inconsistent data sharing processes, or scenarios where personal data is sent by email over unencrypted connections. You can look to extend this work and agree with supply chain partners that they apply the
same high standards of data protection, once customer data has been shared with them.
Get technology security right
Regularly perform IT security audits of all systems involved in data collection, management, storage and sharing is key. By integrating standard IT security technologies, including firewalls for perimeter security and internet security and anti-virus software
is an important step. However, there is also the opportunity to consider limiting access to customer databases based on password security, biometric security, or other technologies that ensure that only authorised dealership staff can access customers’ sensitive
PII and financial information.
Define a data protection culture
A driving force behind cultural change is creating an environment that embraces data protection. Establishing executive level sponsorship to clearly communicate the importance the dealership places on safeguarding customers and their data can really help
to embed this as a business as usual activity. Dealerships can introduce training programs to support employees, improving their awareness and understanding of what GDPR is and how to work compliantly with data.
Have trusted advisors managing the customer relationship
With large sums of money, high value vehicles changing hands on the forecourt, as well as the management of personal information there is something to be said for carrying out background checks on new starters and indeed people who have been in the organisation
for some time. These checks are easy to carry out and offer both the organisation and its customers piece of mind about who is managing their personal information and indeed finance.
Technology advancements, regulation and future strategy
By choosing the right approaches and investments you can manage your data protection needs and build technology solutions built on open architectures to create a strategy that is fit for the future. These allow you to simply evolve your data protection
platform as security risks change, and to connect into new data protection technology that is likely to come to market in the future. It also provides an opportunity to consider utilising low-cost platforms which use open Application Programming Interfaces
(APIs). This flexibility in infrastructure is particularly important given the rapidly changing regulatory landscape.
Build out a data breach readiness response plan
Putting the customer front and centre of a plan will ensure you have the right resources and expertise in place so you can respond and notify the regulator and the individuals affected. This forward planning will help limit damage to your reputation and
customers. It’s also an opportunity to demonstrate your commitment to your customers’ and safeguard them from becoming a potential victim of fraud in the future.
Planning for a data breach in advance is a step every organisation can take and is the right thing to do by the customer. It means you can respond, reassure and recover with confidence.