The General Data Protection Regulation 



On the 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect.

This means that all personal data will now be regulated under the stricter GDPR, meaning more stringent guidelines and procedures must be followed/adopted. 

In preparation for the launch of GDPR, NFDA is continuing to work with franchise vehicle retailers to meet the challenge of GDPR compliance. 

Following two extremely successful GDPR workshops, NFDA will be hosting a third workshop on Friday 15 September at the Warwick Hilton hotel. The workshop will be presented by NFDA's solicitors, TLT. 

For further information or to attend the workshop, please contact Louise Woods;; 01788 538 303.


Summary of the key changes and impacts:

1. Collecting and using personal data

  • More stringent requirements, with all processes for collecting personal data to be reviewed.

  • Changes need to be made to privacy policies and any documentation detailing how an individual’s data is used – for example a consent form asking for personal data. 

  • Clear, concise, direct language used to obtain consent. 

  • New rights for people accessing their personal data.


2. Use of personal data for marketing purposes 

  • Must have consent to send people electronic marketing.

  • Must have proof of how you obtained consent. 

  • Consent must be obtained in accordance with the new GDPR requirements, even if that consent was obtained before GDPR implementation. 


3. Data sharing arrangements 

  • Must only use data processors that comply with GDPR. The onus is on you as the user to ensure that the data processors comply. This includes third parties such as, IT providers, cleaners or manufacturers.

  • If you use mailing lists from a third party, it is up to you to ensure that they are compliant and you have to prove and record your due diligence, including why you believe they are acceptable to use.  


4. Demonstrating compliance and accountability

  • Must be able to demonstrate compliance with GDPR and explain and back up all decisions to the ICO.

  • Consider the need for a data compliance officer or other responsible individual to manage your data protection compliance. 

  • Put in place measures to ensure that a record of the personal data processed in maintained. 

  • Ensure adequate policies and procedures are in place relating to the collection of personal data. 

  • New staff training required.


5. Data breaches and sanctions for non-compliance

  • It is mandatory that you notify the ICO of any data breaches and if necessary the data subject.

  • The new maximum level of fine is €20 million or 4% of total worldwide annual turnover (whichever is greater) for a personal data breach.

  • Depending on the levels of shares or benefits a director receives from a company, directors may also be liable to pay a fine if there is a breach. 

  • Claimants who have had their personal data rights breached can also claim for damages. 

  • Class actions can also be taken against a company for damages.