Time is running out to get your ship in order for new data regulations
The act of putting one product in the carton of another is something that we all know happens throughout the aftermarket at all levels.
There’s one product in particular that we know is packed in the UK in a dozen or more brand images – and no doubt there are others.
There has been little in the news about the new General Data Protection Regulation (GDPR), which comes into effect on 25 May, so it is hardly surprising that there are many people that either have no idea about it or assume that it has anything to do with them. Put simply, GDPR will give teeth to existing legislation, the Data Protection Act (DPA) and according to consumer polls, over a third of Britons are already anticipating to exercise their rights in accordance with this legislation.
But what does it all mean and more importantly what does it have to do with fixing cars? It is easy to brush off this kind of change, assuming that it only applies to big companies like chain fast-fits and dealerships that obviously have some sort of ivory tower that churns out policies and small print in a factory like manner. They are used to being sued right? They have all the means to support all this bureaucratic nonsense and the small company that only employs a couple of people won’t have to worry about this kind of EU nonsense, plus Brexit and everything else…
Unfortunately this is not the case, this change has happened and it is coming in the next couple of months. On that day and every day after this new responsibility will be handed over to you regardless of your preparedness. A bit like becoming a parent really, only without the panting and sweating that you get to herald this kind of immediate change. So what exactly is it?
To break it down, The Data Protection Act (DPA) was introduced in 1998 to protect the rights of the individual with regards to their personal data and how it is processed. A lot has changed since then, particularly the quantity of data that is collected and the complexity of locations of where it is stored have changed dramatically.
Most of the legislation from DPA will remain the same, GPDR will enforce certain elements of it and although GDPR is an EU directive it will be incorporated into British law post Brexit.
Louder for the people at the back, whether we are in or out we are keeping this.
Before moving on, it is worth clearly defining what we mean when talking about processing data, especially in the context of General Data Protection Regulation.
At its most basic definition this refers to any operation performed using personal data, it does not matter if this is automated, handwritten or typed into a spreadsheet. This includes and is not restricted to collecting it, organising it, structuring it, storing it, retrieving it, sharing it and a whole lot else. The official definition can be found on the Information Commissioner’s Office website.
In short, it will now be considered a breach of data if information that is protected by this legislation is not securely stored. This is so serious that even if a breach of data has not occurred, poor management of this data will be treated in the same manner as if the breach has occurred. Dumb luck is not rewarded. If an organisation has been targeted for data theft or even if a suspicion that data has been potentially put at risk there is guidance on the ICO website on how to manage and report such an incidence, and the ICO are keen to push the ‘tell us everything and tell us quickly’ message in the same way you would speak to your insurance company and the police if someone had broke into your premises.