The General Data Protection Regulation (GDPR), is the new legislation that European Union (EU) Member States will use to protect peoples personal information, It becoming enforceable in May 2018.
On the face of it, it doesn’t seem that GDPR is something which is naturally synonymous with the automotive industry, particularly the design, innovation and technology side. There’s no information about people involved is there? So how can it be relevant?
As it happens GPDR is incredibly relevant and I can guarantee that that all elements of automotive manufacturing and design innovation must be aware of what is required. Failing to do so could lead to lost revenue, it may require that your systems are redesigned and ultimately could result in a fine from a European Supervisory Authority (the bodies tasked with enforcing GDPR).
What is it?
GDPR is an EU law which applies to ‘controllers’ and ‘processors’ of ‘personal data’. It is based on six principles which all controllers and processors must adhere to and is enforceable to the tune of 20,000,000 euros or 4% of your global turnover (whichever is greatest) if you fail to comply
But, how does designing and making cars and their component parts involve personal data? And, isn’t the UK leaving the EU? So does GDPR really matter?
In short, the answer is yes. It really does matter.
The regulation applies to all organisations that process the personal data of Europeans, the company doesn’t have to be based in an EU Member State. Furthermore, the UK has decided to adopt the regulation even after it has left the EU. Therefore, any controller or processor based within or outside of Europe, will need to comply with GDPR in order to do business with a European person or company. That is, of course, if the product or services involved are processing personal data.
‘Personal data’ is a complicated matter and there really isn’t a limit on what it is. GDPR says it is any information which can be used to identify a person (you or I!). It can include data which on its own is nothing, however, when combined with other information allows us to identify someone. And that is why there is really very little limit to what constitutes personal data. Take Vehicle Identification Numbers (VIN). In isolation they tell us nothing, but together with a V5C log book, it can tell us who the person is, where they live, what car they drive and the specification of the car. From this we might be able to infer other information, for example the owner’s wealth. This could be valuable information depending on who is to get hold of it.
A ‘controller’ is the person that makes decisions about how personal data is used, whereas a ‘processor’ is a person that carries out actions on data, under the strict instructions of a controller. Both are required by law to demonstrate compliance with the six principles of GPDR, which require that personal data is:
- Processed fairly and lawfully.
- Used for a specific purpose and nothing else.
- Limited to just what is necessary for the purpose.
- Accurate and up to date.
- Kept for no longer than necessary.
- Protected from loss, damage, destruction and unauthorised processing by appropriate security.
However, Original Equipment Manufacturers (OEM) and suppliers don’t process any personal data. So, how can it apply to this sector?
Why does it matter?
Cars are becoming increasingly connected. Connected technology improves the drivers’ experience, improves safety and increases efficiency. This is achieved by communicating information about the car and the driver to many sources. This can include insurance providers, breakdown services and dealership parts departments.
It’s important to remember that personal data is information that can be used to identify a person, whether on its own or with the addition of other information. With this in mind, information passing from a car to another source will undoubtedly mean there’s potential for the driver, or in some circumstances the passengers, to be identified. Where the data is being accessed by organisations such as garages, insurance companies and service providers, it is possible that depending on how the systems are configured, upon access to the data they become ‘controllers’. This is because such third parties would be responsible for determining the purpose for processing the data. This would mean that under GDPR they would be required to comply and therefore be held accountable for failure to do so.
For example a garage may use a diagnostics laptop to interface with certain systems (such as the head unit) in order to apply a firmware update either directly or remotely. The data which becomes accessible could contain emails, bank information, phone books or even location data.
Another example is of the triangulation of service data being used to uniquely identify a vehicle. This may be tyre pressure monitoring technology (TPMS) that broadcasts tyre pressure data to allow the driver to monitor the car’s condition. Under the right conditions a combination of tyre pressure data along with the unique identifiers that each TPMS sensor has, could be wirelessly intercepted and used to identify a vehicle. If the vehicle is driven by just a single person you could begin to build up a picture of the movements of that person. All of this data builds a profile of the driver that could be used to identify them. As such, the information would constitute as personal data.
Connected technology is data intensive. And, with so much information being processed, it can allow third parties to directly or indirectly identify a person. As such it is vital that the design, innovation and manufacturing sectors within the automotive industry should be enabling technology in order to apply the principles of GPDR.
So what needs to happen?
At this point, I need to introduce the concept of privacy ‘by design’ and ‘by default’. This is a requirement of GDPR and failure to adhere to it could result in fines. The impact on manufacturers is that car design and component design, particularly in relation to connected car technology, will need to accommodate the six principles of data protection ‘by design’. As such, hardware and software must be configured in such a way that permits a ‘controller’ to comply with GDPR. This applies whether the controller is a manufacturer, service centre, insurance company or indeed any entity which is able to connect to the car, such as an IOT device.
As an example, hardware and software must be designed to ensure:
- Data which is collected and transmitted is limited to only that which is relevant data for the purpose (second principle)
- Data collected and store by devices on the cars is stored for no longer than is necessary for its purpose (principle 5)
- Data being stored and broadcast from the car, and its components, is appropriately secured and protected from loss, damage or unauthorised processing (first and sixth principle)
If systems are not able to accommodate the six principles of GDPR, by design and by default, the ability for a ‘controller’ to use the technology becomes restrictive. This is because they too must observe the six principles of GDPR and risk a fine if they don’t. In turn, the product becomes less desirable to the manufacturers and sales are likely to fall.
In the short term, demonstrating that your product or technology supports the requirements of GPDR could be a market differentiator. The potential fines that controllers and processors may face for procuring non-compliant hardware and software could make you the lowest risk and therefore most appealing choice. In the long term, this will become a market standard and there will be no place for a manufacturer that hasn’t considered the requirements.
To avoid being left behind it is important that steps are taken now to ensure the principles of GPDR are a part of the design and manufacturing processes. Understanding your products and processes in the context of GPDR and privacy is the first step. The next step is designing processes and procedures that are capable of providing assurance of compliance to interested third parties, such as buyers and supervisory authorities.
With just under a year until GDPR becomes enforceable there really is no time like the present to embark on the journey to compliance. To learn more about how GDPR affects the automotive industry join NCC Group at Connected Cars & Autonomous Vehicles, stand CS120 and speak to a member of our team.
For more information:
GDPR - www.nccgroup.trust/gdpr
Transport Assurance Practice – www.nccgroup.trust/transport
Nathan Harrison is a Consultant in NCC Group’s Privacy Team. He joined the company 18 months ago and has been involved in multi-sector GDPR and privacy projects since day one, including across the automotive industry. He has a background in data protection and privacy having worked for the Information Commissioner’s Office (ICO) as a Lead Case Officer for their Enforcement team. Nathan was responsible for leading investigations into serious and high profile privacy breaches and for advising on what regulatory action was necessary, including fines. Prior to this Nathan held the position of Lead Auditor at the ICO where he was responsible for conducting data protection audits on organisations of varying size, across all sectors.