How to prepare your automotive locksmith business for GDPR
The General Data Protection Regulation (GDPR) is a regulation enforced by the European Union to strengthen data protection for everyone within the EU, and will affect all businesses that sell goods or services to people within the EU.
The GDPR will come into force in the EU on 25 May 2018, and at this point all organisations, including automotive locksmiths, that hold personal data of individuals will have to get all current data up to standard and abide by these strict data privacy regulations, or else be faced with heavy fines.
In an ever-growing digital world, the aim of GDPR is to put the control of personal data back into an individual’s hands, and to protect people from privacy and data breaches. Personal data is any information that can identify a person - from their name, photo, email address, bank details, social media information, medical data, or even a computer IP address.
Here we will highlight where you need to start with GDPR:
Awareness
Make sure all managers and key decision makers in your business are aware of GDPR and appreciate its impact. GDPR is not here to hinder businesses; customers and clients will engage more strongly with businesses who take their data and privacy seriously.
3D Group Recommendations:
Having a good understanding of how important your customer’s data is. As automotive locksmiths we are required to take this data and almost all of us need to store it in some way or other. Treat customer’s data like your own, safe and up to date! Remember to shred any hard copies when you no longer need them.
Information
Take note of what personal data you hold, where it came from and who you share it with. This will help with the audit process.
Whether it’s personal data you take when completing a quotation or whether you’re booking in a job, you will hold a client’s name, contact number, email address and vehicle information as well as scans of their driving licence, address and possibly even their V5 documentation. This is all personal data which you will be responsible for.
3D Group Recommendations:
Quotations that haven’t been converted into jobs; keep personal data for no longer than 12 months (keep the quote details for longer, just remove the personal data attached).
Jobs/Invoices to be kept for 5-7 years depending on how long your accountant recommends, but this needs to be clearly communicated.
Delete Old Data to keep your records up to date. If you have data stored, ask yourself if you really need it and if not, delete it!
Communicate
You will need to update your website with terms and conditions or privacy notices to show how customer’s personal data will be stored when you provide a quote or book a job.
Information needs to be transparent and you will need to highlight your lawful basis for processing; you should tell your customers how you will process their personal data:
- concise, transparent, intelligible and easily accessible
- clear and plain language
- free of charge
For all marketing communications you will need to give your database the opportunity to re-opt-in to marketing whether that’s for newsletters, post or text etc. (if your previous consent procedure isn’t up to GDPR standards).
It is important that both new and old customers know exactly what they signed up for. Their data cannot be used for anything else and consent cannot be implied.
3D Group Recommendations:
Update your online quotation forms so that customers have to accept you are going to hold their personal data. If you would also like to send marketing to them in the future, have another opt-in box added to your online form. Keep track of when they accepted these terms and conditions along with what they actually accepted.
Processes and procedures
What systems will you put into place to make sure that personal data is secure and confidential, and how you will collect data and record customer consent.
3D Group Recommendations:
V5 documents from completed jobs shouldn’t be kept for any longer than 6 months.
Keep Track of how you take copies of personal documents (mobile phone picture, scanned to email). Remember to delete them from the relevant locations.
Subject access requests
With GDPR, any individual has the right to get in touch with you or your business to request the information you have on file for them and can ask to be removed completely from your database.
It will be vital to stay on top of these requests as they will need to be handled within the new timescale of 40 days, and you cannot charge for this.
3D Group Recommendations:
If all your data is kept in the minimum amount of locations (one central digital location and one hard copy location) then this task is easy! We don’t see many automotive locksmiths getting these request but you need to be ready just in case you do!
Data breaches
Put procedures into place to detect, report and investigate a personal data breach. If you operate internationally outside of the EU, you will need to check which data protection supervisory authority you come under.
3D Group Recommendations:
Small businesses will be the next target for hackers! These are the ones that will be vulnerable. Try to keep your data central, secure and up to date.