Data protection is a fact of life and the GDPR has been in effect now for some time and, unlike some predictions, the sky has not fallen. However, data protection is an ongoing issue and it is easy to let your guard down. As we are now starting to see customers becoming more aware of their rights and also more aggressive regarding perceived breaches, we have decided to put together a series of articles regarding everyday data issues.


Newsletters are a common tool for businesses to stay in touch with their customers and add value to any offering. Normally these are a relatively low risk activity. However, they also represent a risk to the business if the data used in their creation and distribution is not managed correctly.

Processing is defined under the GDPR at Article 4(2) as

“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

As such whenever you are collecting, organising, structuring, storing… disclosure by transmission or disseminating; such as providing an individual’s email address, then you will need to be complying with GDPR/ Data Protection Act 2018.

Data subjects email addresses should not be visible to other recipients without their informed consent. There have been a number of high profile incidents of a group of recipients being “CC’d’ onto an email and therefore having details fully disclosed.


The effect of any disclosure as above will depend on the nature of the email sent. In a recent email sent to participants in the child abuse enquiry, the result was that significant and sensitive personal details were disclosed (i.e. whether they had suffered child sexual abuse), and as a result the commission was fined £200,000.00.

Whilst it is unlikely that any breach from a motor dealer will be so significant, any breach will risk at least a reputational loss. We therefore strongly advise that any such group emails be either disseminated individually or through measures that obscure the identity of other recipients such as BCC or blind courtesy/carbon copy.

The above is a very broad overview of one aspect of GDPR. The legislation and guidance is still developing. We will endeavour to keep you informed through regular articles and case studies. For further information please visit the Information Commissioner’s Office website.

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.


Motor Industry Legal Services

Motor Industry Legal Services provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advise over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.