Q. Can we send out MOT and service reminders to our customers?
A. We have a list of customers to whom we send a reminder every year. This process is already compliant with the Privacy & Electronic Communications Regulations. This means we can carry on sending those reminders using the GDPR lawful ground of ‘legitimate interest’. For emails this means we can carry on sending the emails as long as we offer you (the customer) the option to opt-out in every communication.
To be clear, Recital 47 in the GDPR allows direct marketing as a ‘legitimate interest’. You do not need to seek consent, but you do need to meet any other legal requirements.
Q. If we want to rely on consent, how detailed does the form have to be?
A. Very. Consent in the GDPR context has to be of a certain level. Blanket statements such as “I consent to receiving details of special offers” will not meet the standard. Consent under GDPR has to be granular, meaning we have to list what we will be sending and get consent for each type of communication so have a tick box for emails, a separate box for text messages, a separate box for phone marketing etc. We will review consent annual and advise your of our system in place to do that.
Q. Do we need to get our employees to consent to us holding their personal data?
A. No, avoid using consent as your GDPR lawful base. You can lawfully process your employee’s data under the ground of ‘contract’ as without their personal details you cannot enter into an employment contract with them. Further, you can process their details under the lawful base of ‘compliance with a legal obligation’ as you need their information to pay tax, NI and pension contributions.
Q. Can we still use job cards and how long do we keep them for?
A. Yes we still use them but make sure they are not left lying around in a public area open to someone reading another person’s personal details. The answer to all questions about retention periods is that we keep it for as long as you need but no longer. When we decide to dispose of manual job cards (once information has been input onto a digital system), we securely destroy them.
Q. Will BTE Automotive get a fine of £17 million?
A. Unlikely as the large fines will be reserved for big companies who process vast amounts of data. SMEs are more likely to receive a smaller fine or an Enforcement Notice giving them the chance to put things right. We are actively making changes to ensure we comply and so we undertake annual information audits and put systems in place, so we are able to demonstrate an attempt at compliance.
Q. Can I get more information?
A. Yes, there are various legal articles on the Lawgistics website and as a member of Group Auto, and the Retail Motor Industry Federation, you as a consumer have access to the Lawgistics telephone helpline 01480 455500.