What you need to know about the General Data Protection Regulation

The new General Data Protection Regulation came into force on 25th May 2018. All organisations collecting, storing or processing personal data will need to be compliant.

What is the GDPR?

On 25th May 2018 the EU’s new General Data Protection Regulation (GDPR) came into force, this replaced the current Data Protection act 1998. The GDPR is now part of UK law.

The GDPR aims to overhaul the laws which determine how businesses process individual’s personal data. There are seven key principles of the GDPR which all centre around fairness, transparency and control. All organisations collecting, storing or processing personal data must comply with the new regulations. You can read more about the key principles of the GDPR on the ICO Guide to the General Data Protection Regulation.

Auto Trader takes the privacy of the data it holds very seriously. We have updated our policies and Terms & Conditions to comply with the regulations, which you can view here.

Does this affect the way I do business with Auto Trader?

The GDPR applies to data controllers and processors and places specific legal obligations on each party. This includes information which Auto Trader passes to you regarding customer enquiries for vehicles you advertise on autotrader.co.uk.

You can find out more information regarding the role of controllers and processors here.

To ensure compliance, we have now updated our process for collecting consumer consent for enquiries and have removed any data for which we do not have the appropriate consent. We have also built a brand-new lead management area within Dealer Portal giving you the ability to manage all your leads in one place and contact customers directly. Key updates to the lead process we have now made include:

  • To protect consumer information, personal details relating to lead data will only be send via email where we are confident the recipients mailbox is secured. Lead information will also be available via the new lead management system within Dealer Portal. Alternatively, you can choose to integrate directly with our API or work with your lead management partner to integrate with our API. Find out more about these solutions here.
  • We have removed all historical enquiries which did not have GDPR compliant consent, the “Contact List” section and the sales invoicing tool in Dealer Portal. This is because under GDPR we cannot hold consumer data for which we do not have appropriate consent. All new enquiries will have the appropriate consent and will be available within the new lead management area of Dealer Portal.
  • The consumer is giving consent for you to contact them only about the vehicle advertised on autotrader.co.uk. You cannot use this as consent to contact the consumer for marketing purposes. You must obtain specific consent from the consumer for any further contact. You can find out more about consent here.

Auto Trader has an obligation to ensure the personal data collected for a vehicle enquiry, which we pass to you, is processed lawfully under the GDPR.

There are several key areas which clarify how we should process enquiries under the GDPR, including:-

  • “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
  • “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
  • “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”
  • “processed in a manner that ensures appropriate security of the personal data”

How can I make sure my business complies with GDPR?

The Information commissioner’s Office have published a series of useful guides for small businesses to help you prepare for GDPR and you may wish to seek independent advice.