With the General Data Protection Regulation (GDPR) going into effect soon, companies are significantly changing the way they manage data. Just like any business that collects personal data about individuals, the automotive industry is preparing for the effects of the new regulation. To help educate companies developing technology for autonomous and connected cars, we teamed up with attorneys Claudia Rast and Jennifer Dukarski of the law firm Butzel Long to share important information about GDPR and what automakers can do now to prepare for it.
We recommend you watch the webinar for a deep dive into GDPR and its impacts on the automotive industry, which includes valuable information and tips for achieving compliance. For those who just have time for a quick recap, here are eight things Claudia and Jennifer say you can do now to prepare for GDPR.
- Identify your role. As a company, it’s important to understand if you’re a data controller or a data processor as defined by GDPR. The data controller is the entity that determines the purposes, conditions, and means of processing personal data. The data processor is the entity that processes data on behalf of a data controller. Both entities are responsible for compliance.
- Review your privacy policies. Are your existing privacy policies appropriate and applicable under GDPR, or do you need to update them?
- Review and update your procedures. Companies must be able to show compliance with GDPR. Document your data protection policies so you can demonstrate how they are compliant.
- Identify the method and lawful basis for consent. This is a good one to whiteboard: what information do you collect, from whom, and under what lawful basis?
- Determine if you need a Data Protection Officer (DPO). Not all companies require DPOs, but some are obligated to appoint one under the new regulation. The UK’s Information Commissioner’s Office provides helpful guidance to understand if you should appoint a DPO.
- Review your internal data breach procedures and detection methods. Under GDPR, companies have a 72-hour window to investigate and report data breaches. The time of the breach is not the time to determine your response plan—do it now.
- Establish documentation procedures. GDPR requires documentation proving that you have the necessary policies and procedures in place to comply with the law appropriately. Having a documented basis for data collection—and the information that you need to give to individuals prior to consent—is critical.
- Get consent. GDPR requires companies to get clear consent from individuals to process their personal data for a specific purpose. You must have a plan for getting this clear consent for all personal data you collect.
For more information on GDPR, we recommend you visit the EU’s GDPR website, which is chock full of helpful resources to guide you on your path to compliance.