Tag Archive | "Data protection"

THE GDPR LOWDOWN

Tags: , , , , ,

THE GDPR LOWDOWN


In part two of our GDPR guide, Hayley Pells explains how practical steps will help you be ready.

It hasn’t been a good month for the public’s perception of how companies use their data. You may have noticed that during the coverage of Facebook and Cambridge Analytica on TV that Elizabeth Denham, the UK’s Information Commissioner, would pop up to reassure the public that steps were being taken to regulate how their data was used and stored by companies, which was of course a reference to GDPR. If there was any doubt about how seriously the country is going to take the new legislation, this will be a wake up call.

Last month, we explored the background of GDPR and how it is going to affect your business, this month, we are going to explore a step-by-step guide to show you how you can become legally compliant yourself. If you are unsure of the process there is still time to get some professional help. There are independent consultants all over the country and there are larger organisations who are able to roll out a fast to access service. The average garage owner can do this in-house for themselves, but if you are busy, it could be a more cost effective solution to outsource.

STEP 1
Awareness

Following on from last month’s article, you need to make sure all of your team know about the legislation. In my case, trying to explain it to my father who I work with (and is in his late sixties) is a hoot, but we got there. The key area to get across is the impact this compliance will have on the business and acknowledging the time and cost it will require to implement. Do you have a risk register? It could be useful to have one. Compliance can be difficult if the preparations are left to last minute, especially if you then plan to outsource.

STEP 2 – Current situation

What personal data do you hold about your clients and staff ? Do you really need it? This is a good opportunity to “clean house.” Dispose of the unrequired information responsibly, ensuring that the data is inaccessible at the point of disposal.
What you should be left with is the information that you need. What do you do with it? This is how compliance with the accountability principles of GDPR are achieved. You need to know what information you hold, where it is held and how it
is held. It must be held securely. When sharing data, this needs to be done responsibly. For example, does someone else process your payroll? Now is the time to check that the information you share is being done so in a responsible manner and that your service provider is up to speed with their obligations.

Having assessed your current situation it is a good idea to record it and then outline your strategy for improvement. This is a very similar process to how you would complete a risk assessment.

STEP 3 – Communicating
privacy information
Do you have a privacy notice? Currently, when you collect personal data you need to give people the following information;
– Who you are
– How do you intend to use their information

That information you have probably done without thinking, to continue with the payroll simili “I’m Fred Bloggs, I need your NI number to process your pay.” With the GDPR, this is expanded upon, now there are a couple of extra things you need to tell people;

– Your lawful basis for processing the data
– Data retention periods
– The individual’s right of complaint to the Information Commissioner’s Office

So for this I shall use the example of information that I gather for a MOT test. My lawful basis for collecting information about my client is that I have been tasked with performing a MOT test on their vehicle. I keep this data for one year and the ICO’s website can be found at ico.org.uk – they are the Information Commissioner’s Office, the UK’s independent body set up to uphold information rights in the public interest. The GDPR requires that plain language is used, every step should be as clear and concise as possible.

STEP 4 – Individual’s rights

You should check and record your procedures to ensure they cover the following rights of the individual, include how you would erase personal data or provide personal data electronically in a commonly used format;
– The right to be informed
– The right of access
– The right to rectification
– The right to be forgotten
– The right to restrict processing n The right to data portability
– The right to object
– The right not to be subject to automated decision-making including profiling

Now bear with me, this all probably sounds like something completely new, but before spanners are thrown up into the year and “this modern euro nonsense is just taking over everything, I am but a simple mechanic” is hailed (or was that just my father?). Let us examine what this means practically. A lot of these rights are just basic common sense, you are probably employing them right now – the key areas that are significantly different are mainly within the right of portability, it only applies;

– To personal data an individual has provided to a controller
– Where processing is based on the individual’s consent or for the performance of a contract
– When processing is carried out by automated means With the Data Protection Act, you could, if you so wished, charge a fee for the provision of data to the individual, under the GDPR you cannot and the information provided by the ICO insist that it be provided in a structured commonly used and machine readable form.

STEP 5 – Access Requests
Step four outlined the right the individual has, step five now examines how those rights are handled. It is good practice to have this recorded and share it with everyone in your organisation.
– No charge for information requests
– Information to be given within a month (under the Data Protection Act, this was 40 days)
– You can refuse or charge for requests that are manifestly unfounded or excessive
– If you do refuse a request, you are legally obliged to tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do without undue delay and at the latest, one month.

If you have a large organisation or you handle large numbers of information requests this may be a good time to assess the implications of dealing with requests quickly. It may be worth considering the desirability of systems that allow individuals to access their own information online.

STEP 6 – Lawful basis for processing personal data
As individuals now have a stronger right than under previous legislation to access their personal data in order to achieve compliance with the GDPR, you should document and share your lawful basis for the collection and processing of this data. This is especially important now individuals have the right to deletion of their personal data.

STEP 7 – Consent
Consent cannot be inferred by silence and must not be an “opt out” (no pre-ticked boxes or assumptions). This is quite a broad area and will be explored further next month with detailed guidance. Consent cannot be thrown in with your general terms and conditions as it must be freely given, specific, informed and unambiguous. In my opinion, post 25th May 2018, this is going to be the next big goldmine for all those companies that are currently benefiting from the PPI refunds, it will be an easy area to identify non- compliance if the correct procedures are not in place.

STEP 8 – Children
Before shoulders are shrugged that you don’t deal with children, first understand what is meant by the term “child”, although the consent given by children within this context tends to be more concerned with young children and internet related services such as social networking, it would be a good idea to consider how you handle apprentice’s (or any other employee or client who are under 18) information. Currently the GDPR sets the age at 16, this may be lowered to 13, being mindful of how this age limit may change and implementing into your policy documents for the younger people that you may deal with will be the best method to achieve compliance.

If your organisation does deal with children, you must remember that consent must come from someone with “parental responsibility” and has to be verifiable. Your privacy notice must be written in language that children can understand.

STEP 9 – Data Breaches
What to do if it all goes wrong? The legislation does consider that like locking the door to your home doesn’t stop thieves getting in, you may be subject to a data breach that, in under normal working circumstances, would not happen.

If you have a breach, determining the nature of the breach will direct your next course of action. You only need to notify the ICO if the breach is likely to risk the rights and freedoms of the individual, for example, if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. If this breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify them directly.

In order to achieve compliance with the GDPR you must have procedures in place that detect, report and investigate personal data breaches. Having a good clear out at step two will reduce the risk in this area.

STEP 10 – Data Protection by Design and Data Protection Impact Assessments
Remember when you had to uncheck a prefilled box to opt out of things online? Now you have to check it yourself, this is what that is about. The chances are, if you collect data in this way, this is something that you are already aware of and I am personally at a loss as to why you would have a need to process information in this way within the automotive aftermarket, but I am sure there is someone out there who could enlighten me!

STEP 11- Data Protection Officers If it is everyones’ job, nobody does it. Identifying a person responsible for data protection compliance is now a formal obligation in certain circumstances. You probably won’t be one of them, but it is still good practice to formally appoint someone to oversee your compliance, that person should take proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.

STEP 12 – International
If you are lucky enough to deal internationally with your organisation you should determine your lead data protection supervisory authority and document this. The lead authority will be where your central administration is located but only relevant where you carry out cross-border processing. (This step doesn’t apply to my garage. Currently).

Hopefully, this article will be helpful in becoming compliant for yourself. The advantage in doing this yourself will enable your organisation to be familiar with the new legal responsibilities organisations have with respect to personal data. The next article will thoroughly examine the subject of consent and how it is applied in this context.

Posted in CAT Know-How, Factor & Supplier News, Garage News, News, Retailer NewsComments (0)

GDPR: WHAT’S THE FUSS?

Tags: , , ,

GDPR: WHAT’S THE FUSS?


Time is running out to get your ship in order for new data regulations

The act of putting one product in the carton of another is something that we all know happens throughout the aftermarket at all levels.

There’s one product in particular that we know is packed in the UK in a dozen or more brand images – and no doubt there are others.

There has been little in the news about the new General Data Protection Regulation (GDPR), which comes into effect on 25 May, so it is hardly surprising that there are many people that either have no idea about it or assume that it has anything to do with them. Put simply, GDPR will give teeth to existing legislation, the Data Protection Act (DPA) and according to consumer polls, over a third of Britons are already anticipating to exercise their rights in accordance with this legislation.

But what does it all mean and more importantly what does it have to do with fixing cars? It is easy to brush off this kind of change, assuming that it only applies to big companies like chain fast-fits and dealerships that obviously have some sort of ivory tower that churns out policies and small print in a factory like manner. They are used to being sued right? They have all the means to support all this bureaucratic nonsense and the small company that only employs a couple of people won’t have to worry about this kind of EU nonsense, plus Brexit and everything else…

Unfortunately this is not the case, this change has happened and it is coming in the next couple of months. On that day and every day after this new responsibility will be handed over to you regardless of your preparedness. A bit like becoming a parent really, only without the panting and sweating that you get to herald this kind of immediate change. So what exactly is it?

THE ACT
To break it down, The Data Protection Act (DPA) was introduced in 1998 to protect the rights of the individual with regards to their personal data and how it is processed. A lot has changed since then, particularly the quantity of data that is collected and the complexity of locations of where it is stored have changed dramatically.

Most of the legislation from DPA will remain the same, GPDR will enforce certain elements of it and although GDPR is an EU directive it will be incorporated into British law post Brexit.

Louder for the people at the back, whether we are in or out we are keeping this.

Before moving on, it is worth clearly defining what we mean when talking about processing data, especially in the context of General Data Protection Regulation.

At its most basic definition this refers to any operation performed using personal data, it does not matter if this is automated, handwritten or typed into a spreadsheet. This includes and is not restricted to collecting it, organising it, structuring it, storing it, retrieving it, sharing it and a whole lot else. The official definition can be found on the Information Commissioner’s Office website.

In short, it will now be considered a breach of data if information that is protected by this legislation is not securely stored. This is so serious that even if a breach of data has not occurred, poor management of this data will be treated in the same manner as if the breach has occurred. Dumb luck is not rewarded. If an organisation has been targeted for data theft or even if a suspicion that data has been potentially put at risk there is guidance on the ICO website on how to manage and report such an incidence, and the ICO are keen to push the ‘tell us everything and tell us quickly’ message in the same way you would speak to your insurance company and the police if someone had broke into your premises.

Posted in CAT Features, Factor & Supplier News, Garage News, News, Retailer NewsComments (0)

ICO CLOSES IN ON BODYSHOP DATA THIEVES

Tags: , , ,

ICO CLOSES IN ON BODYSHOP DATA THIEVES


Theft of personal data is still common

The Information Commissioners Office (ICO) has searched two more properties in the North West of England as part of an ongoing investigation into nuisance calls linked to stolen bodyshop repair data.The latest search warrants were executed at a location in Gatley, Greater Manchester and Wilmslow, Cheshire where investigators seized computers and phones that are now subject to forensic examination.

“This illegal trade has multiple negative effects both on the car repair businesses targeted for their customer data and the subsequent nuisance calls made to customers. These can be extremely unsettling and distressing,” said, Mike Shaw, Enforcement Group Manager at the ICO. “These people won’t get away with it – any person or business involved in the theft and illegal trade of personal data may find themselves subject to ICO action.”

Since the investigation launched last year, ICO investigators have fined a Hampshire-based firm £270,000 after carrying out 22 million nuisance calls and imposed Keurboom Communications Ltd with a £400,000 penalty for the same offence. Two more properties were recently raided in Macclesfield and Droylsden but no sanctions have been confirmed.

Posted in Blogs, Factor & Supplier News, Garage News, News, Retailer NewsComments (0)

NBRA ISSUES SECURITY ADVICE TO MEMBERS

Tags: , ,

NBRA ISSUES SECURITY ADVICE TO MEMBERS


NBRA Director Jason Moseley

The National Bodyshop Repair Association (NBRA) has issued security advice to businesses in a bid to prevent further cyber attacks, following last month’s ICO raids on addresses where computers thought to have been used in the cyber crimes were seized.

“The National Body Repair Association (NBRA) has been focusing heavily on protecting member’s interests related to data security within bodyshops over the past 12 months”, said Jason Moseley, Director of NBRA. “Our latest move following last month’s massive ransomware cyber-attack, the NBRA has communicated some critical IT security advice to our members to protect their business”.

He adds. “The attack hit the NHS, the French carmaker Renault, many banks and companies around the world. The ransomware that hit the contract with Halfords NHS in England and Scotland, known as ‘Wanna Decryptor’ or ‘WannaCry’, has infected 200,000 machines in 150 countries since Friday.”

Some points advised to NBRA members include implementing an actively supported operating system that receives regular updates as well as a ‘disaster recovery plan’ backing up content onto devices kept offline. Moseley also encourages bodyshops to run anti-malware software ensuring they regularly receive signature updates.

Moseley concluded by saying, “We are in a new era of cyber criminality and as a trade association we have a duty of care to assist members to secure their businesses. Being a NBRA member means bodyshops have access to the latest information”. More details can be found on the firm’s website.

Posted in Blogs, Factor & Supplier News, Garage News, News, Retailer News, UncategorisedComments (0)

KEEPING SECURITY CONTROL

Tags: , , , ,

KEEPING SECURITY CONTROL


Ransomware is affecting the motor trade on an epic scale. We speak to an expert on how to kerb it.

Cyber expert William Taaffe

Security is a big deal in this day and age. You’ll know that the NHS is still reeling after the WannaCry virus hit a number of machines on its network last month, as happened to government and corporate networks around the world. In case you are not familiar, the so-called ‘ransomware’ encrypts the files on an infected computer and in this case, threatened to delete them unless a ransom, paid in Bitcoin is received. Even then, it is unlikely that you’ll get you files back as it will take someone, somewhere to manually authorise it… which they have no interest in doing after they have both you money and your files.

What you might not know is that this type of software has been affecting the motor trade possibly more than most industries over the past few years. It has mostly been targeted at dealerships, but wherever there is a mixture of weak security and sensitive data, hackers will pounce. To find out what can be done, we spoke to an expert in cyber security in the motor trade. William Taffe was the Cyber Security Business Manager (he has very recently switched companies) at RDS Global, a firm that started as the IT department of one of the main dealer groups in the 1990s, but has since become an IT support and consultancy brand of its own, following an MBO in 2013.

Our first question is why is the motor trade particularly vulnerable? Taaffe explained that the industry is a sitting duck for wrongdoers. “Turnover is what people are looking for. One reason is because the vehicles and stock are of a high value” he said. “The other reason is there is huge amounts of data that is collected, that data is stored in different systems. That data is a
big vulnerability”.

Another draw for criminals is that the consequences of cyber crime are less than street vice. “I saw a story on the BBC website where a frontline fraudster who was dealing in data was asked ‘why are you doing this?’. He said: ‘because I make more in a single day doing this than in a month selling cocaine.’ I thought it was a great quote – it just shows the power of modern criminality, and it revolves around identity fraud” said Taaffe.

So, what steps can be taken to secure your network? Taaffe recommends that each company should have a ‘cyber audit’, which in the case of very large chains could take several days. “One of the first things we do is look at the physical security” Taaffe explained, “I don’t just mean on the network, I mean who can physically walk into a site”.

There are a lot of quick and easy measures that can be taken to prevent random people from wandering into your main server cupboard, such as a lock on the door at the most basic level, rising to more sophisticated access control cards that can log people in and out of parts of your building (and for these, Taaffe recommends a firm called Paxton Access). However, the most sophisticated lock in the world is no use if it is left open. “Processes are one of the most important things you can do” Taaffe said. “It’s about accountability, such as who’s job is it to flag things up if there is a breech and is it mentioned in management meetings?” These ‘cyber essentials’ as Taaffe refers to them are obvious, but he explains how common it is to find firms that don’t even have a policy in place for the staff
to follow.

CHANGING LAW
This brings us on to another point that firms might not be aware of. By 2018, every company with more than five people will have to implement a cyber security policy, or it will be breaking the law itself.

However, the problem of the day is not with people physically messing with the computers, but perpetrators in unknown countries infecting computers with malicious software, or ‘malware’ as Taaffe calls it. “It takes different forms, but what you are we’ve been seeing is ‘multi-faced’ malware” Taaffe explained. “It doesn’t have one specific line of coding, it has a group of different coding. It will sit on your network very efficiently and it won’t run any applications. You might have heard the phrase ‘zero data tag’ which means something that hasn’t been seen before, so it bypasses the anti virus software. It can get into your system and work out where the vulnerabilities are – and then work out what face to put on. Sometimes, with the right conditions it can lock your network up and ask you for Bitcoin to unlock it”.

Once the computer is infected, there isn’t much you can do. “The police will always advise you not to pay, but the reality of the situation is that it is not black and white: said Taaffe. “The cost to the company for being ‘down’ was £100,000 per day. Sometimes it is better to pay the ransom and then rebuild the network, rather than keep it offline for days and days”.

Taaffe recalls a recent experience where a hacker had exploited a vulnerability in a network to extort a ransom. “In this case, they had a process, but it just wasn’t followed. There’s no point in sending out a memo once a year it has to be followed up regularly” he said.

Another old tactic that has seen resurgence is phishing. This is where the user is duped into handing over data by someone pretending to be something they are not – and this has moved on a lot from the days of apparent Nigerian princes asking politely for your credit card number. “Modern phishing attempts are more advanced” said Taaffe. “Some will learn individual employee’s diaries and will pretend to be them at certain times of the day, asking for certain amounts of cash to purchase vehicles or whatever. You’d be surprised by the number of people that get taken in by them.”

As with so may things, training, vigilance and enforcing policy are the best guard against criminals. “There are two misconceptions in the market and the first is that you can solve security problems by throwing technology at it: You can’t. The second is that they go away if you install anti virus software, that just won’t cut it anymore” concludes Taaffe.

Posted in CAT Features, Factor & Supplier News, Garage News, News, Retailer NewsComments (0)

FURTHER ICO HOUSE RAIDS OVER BODYSHOP “DATA THEFT”

Tags: , , ,

FURTHER ICO HOUSE RAIDS OVER BODYSHOP “DATA THEFT”


Two properties in the North West have been raided as part of an ongoing investigation into nuisance calls related to data theft from car body repair shops.

The Information Commissioner’s Office (ICO) carried out the searches on Tuesday 11th at private residences in Macclesfield and Droylsden. There is no word as yet about what, if anything, was seized, or if there were any arrests made.

The investigation centres on hacked data from crash repair shops used to make nuisance calls to people to encourage them to make personal injury claims. The same investigation saw a business and two homes raided in December.

Mike Shaw, Enforcement Group Manager at the ICO, said: “Many people get unsolicited calls suggesting they’ve had been involved in an accident, and wonder how the caller had their details. Calls can leave them feeling uneasy and frustrated”.

Jason Moseley, NBRA Director added: “Membership of our association promotes good data diligence and practices. This is something we have been working closely with the ICO for 12 months now, and we fully support that further actions are being taken against this criminal activity.”

 

Posted in Factor & Supplier News, Latest News, NewsComments (0)

BODYSHOP DATA THEFT: ICO RAID HOUSE

Tags: , , ,

BODYSHOP DATA THEFT: ICO RAID HOUSE


Theft of personal data is still common

Theft of personal data is still common

The Information Commissioners Office (ICO) has searched a house in Palmers Green, North London after the Nationwide Accident Repairs Services (NARS) reported illegal activity into its customer database.

NARS told investigators that its computer system had been hacked in order to obtain customer car repair estimates containing personal data.

The ICO believes that the stolen information may have been sold onto crooks that
call people who have had car crashes. “Our experience shows that unscrupulous people access personal data about car accidents to sell it on to marketing firms, who use the details to make nuisance calls”, said Enforcement Manager Mike Shaw. “We searched this house to gather more evidence as we have reason to believe that a person living at this address has illegally accessed personal information”.

NARS has confirmed the illegal activity is not emitted from a person working at the company.

Responding to the investigation, Jason Moseley, Director of RMI Bodyshops, said: “We are delighted that further actions are being taken against this criminal activity. Our trade association stands firmly in support of NARS and others for their work with the ICO”.

Theft of personal data is increasingly common as criminals find the risks are significantly reduced compared with other types of crime.

Posted in Blogs, Factor & Supplier News, Garage News, News, UncategorisedComments (0)

Tags: , , , ,

THE COMPUTER WILL SEE YOU NOW


Data protection rules are changing: Here’s what the aftermarket needs to know

Andrew Gallie is a senior associate at Veale Wasbrough Vizards specialising in information and data protection law.

Andrew Gallie is a senior associate at Veale Wasbrough Vizards specialising in information and data protection law.

Data protection law has recently been updated by Europe and will be in place in less than two years. Despite the Brexit vote, businesses – large and small – need to note the changes as the penalties for breaches will be severe and adjusting to the new rules will take time.

The European Union’s General Data Protection Regulation (GDPR) was finalised at the end of April 2016 after four years of discussion, disagreement and negotiation and will directly affect all member states from May 2018. Firms have no choice – the GDPR is not going away.

But a question arises: Now that we’re scheduled to leave the EU, will the GDPR still matter? The answer is yes – it will. The Secretary of State for Culture, Media and Sport, Karen Bradley, before a House of Commons committee at the end of October 2016, formally stated that: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR.”

TAKE THE LAW SERIOUSLY
The GDPR is not a monster but it needs to be taken seriously. Changes will be required, and if the required changes are not made then firms risk considerable fines and reputational damage. Indeed, under the GDPR, those organisations that breach the law could face a fine of up to four percent of annual worldwide turnover or €20m (whichever is the greater).

These penalties do seem geared to the larger firm, but a quick search of the Information Commissioners Office (ICO) website – the UK enforcer of data protection law – shows that organisations of all sizes are being taken to task.

PRESENTLY
The present data protection regime, under the Data Protection Act 1998 (DPA), protects a person’s rights in respect of their personal data and is built upon eight data protection principles. These are all common sense and require that personal data is processed fairly and lawfully; obtained and used for specified and lawful purposes only; adequate, relevant and not excessive in relation to their purposes; accurate and up-to-date; not kept for longer than is necessary; processed in accordance with the individual’s rights; kept secure; and not transferred outside of the European Economic Area without adequate protection.

Apart from these there are other points to note about the present law. The first is that there are extra obligations when handling sensitive personal data such as information about ethnic origin, sexual life, trade union membership etc. Further, individuals have a right via a Subject Access Request (SAR) to find out what information is held about them.

computer_data

THE CHANGES
Rights of the individual
Individuals have a right to know what is going to be done with their data, and who it is going to be shared with. A website privacy notice can tell people about this. Under the GDPR there is additional information which must be provided: Firms will need to tell data subjects – users – the legal basis for processing their data, the data retention period, and of their right to complain to the ICO. There is also a requirement that the privacy notice is concise, easy to understand and in clear language.

The GDPR confers new rights such as having inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (because of this firms will have to provide data electronically).

Presently, firms have 40 days to respond to a subject access request but under the GDPR this will drop down to a month. Refusing a request will require a firm to have appropriate policies and procedures in place. There will also be obligations to provide additional information such as data retention periods and the right to have inaccurate data corrected.

Consent for data processing
For many the most challenging area under the DPA is that of “consent”; that consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR requires that consent must be freely given, specific, informed and unambiguous. If a firm is going to rely upon ‘implicit consent’ then it must be ready to deal with a challenge as to how unambiguous the consent was.

Other obligations
There is presently no general obligation to report any data breaches but the GDPR radically changes this and creates an obligation to report data protection breaches which could cause an individual harm within 72 hours. Firms should consider how they would deal with this new obligation. They should be asking: How secure are their systems? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would the harm to individuals be mitigated? Do the procedures in place around data breaches allow these obligations to be met?”

One solution to compliance is obvious – appointing a capable, interested person with the responsibility for ensuring that the obligations are met.

The GDPR is a real and present threat to firms and organisations of all sizes and the financial consequences for ignoring the new rules are severe. However, those that plan and who choose to follow their obligations should have little to worry about.

Posted in CAT Know-HowComments (0)

ICO RAID ON BODYSHOP DATA

Tags: , , ,

ICO RAID ON BODYSHOP DATA


bodyshop_picThe Information Commissioner’s Office (ICO) has raided two houses and a business in the North West, following a tip that people in the premises were involved in the illegal sale of personal data from the motor trade.

The raids are connected to an ongoing investigation into hundreds of thousands of cold calls made to people to encourage them to make personal injury claims in relation to road traffic accidents.

Mike Shaw, Enforcement Group Manager at the ICO, said: “We know lots of people get these calls suggesting they’ve been involved in an accident, and wonder how the caller had their details”.

“The answer is that lists of people who’ve been involved in car accidents can be valuable leads to claims companies. That information is difficult to come by, even for the more disreputable firms, so data on people who’ve simply had their vehicles repaired is still prized, even though many of those people won’t have been involved in any accident”.

Jason Moseley, Director of RMI Bodyshops said: “We are pleased to hear that investigations into the illegal trade of motorists personal data are proving successful”.

He added: “We are committed to helping eradicate this type of behaviour which is tarnishing our sectors reputation. RMI Bodyshops members recognise the importance of ensuring motorists details remain confidential and we will continue to protect our member’s reputations by doing whatever it takes to prevent and stop this behaviour”.

Posted in Blogs, Factor & Supplier News, Garage News, News, UncategorisedComments (0)

Advertisement
  • It has been the grimmest month for the High Street, so what can accessory retailers do?
  • Bentley Lifestyle: A specialist talks tips of the trade
  • Keep it rolling: New challenges in the S&S sector

more info

    • Sorry, there are no polls available at the moment.
    • Popular
    • Latest
    • Comments
    • Tags
    • Subscribe