Satnav address records and Bluetooth phone information stored on used cars and vans are set to create a headache for remarketing companies with the arrival of General Data Protection Regulation (GDPR) next year, says the Vehicle Remarketing Association (VRA).
The trade body, which represents companies that are involved in remarketing more than 1.5 million vehicles every year, says that the principle of personal data within GDPR means that the information should be removed before sale – but that doing so wasn’t always easy.
Sam Watkins, deputy chair at the VRA, said: “Anyone who has bought a used car in the last few years will know data such as satnav and phone records from the previous owner is often not removed when a vehicle is sold.
“It’s probably a good idea in general that this data should be deleted – it provides a very good indication of a person’s movements, work and social activities – but GDPR makes it a legal responsibility. At some point in the supply chain, it has to be deleted. The question is - who should be responsible for doing this?
“The problem is that each different manufacturer and sometimes different model has its own way of deleting these records, plus it is quite time consuming. If you are processing thousands of ex-fleet vehicles through an auction every week, it’s a genuine headache.
“There is no apparent, easy solution, but the VRA is looking at this issue and will be seeking guidance from manufacturers and others.”
Tim Bailey, fleet services director at Auxillis Services, a vehicle rental company providing replacement vehicle services, said: “We have been aware of the GDPR legislation for some time and preparing for this legislation in a number of areas.
“Since the end of last year, on collection of vehicles from our customers, we remove all previous satnav and in car phone records, as a matter of course. Given the varying methods employed by the manufacturers, this is no easy task but is essential nevertheless.
“Any record that can be tied back to an individual needs to be dealt with in accordance with GDPR and your company’s resultant control policies.”
General Data Protection Regulation will replace the Data Protection Act 1998 (DPA) in May, 2018. It is European legislation designed to unify the separate EU member states’ regulations and to give people living in the EU more control over their personal data.
Fundamentally, GDPR is the same as the Data Protection Act but there is a high degree of emphasis on accountability and transparency, and businesses must demonstrate and create robust audit trails for compliance and decision making.
The new law also comes with significant penalties, with much wider scope than the DPA - for data processors now as well as data controllers. Ultimately, companies can be fined up to 4% of their worldwide turnover.
The issue of GDPR was raised at the September member meeting of the VRA, which was attended by more than 30 industry experts and took place at the premises of Fleet Auction Group in Coalville, Leicestershire.