Data Protection in the Automotive Industry

The automotive industry is increasingly driven by data. From supporting connected cars to enabling value-added third party data sharing applications, the industry is reliant on a diverse array of data processing activities. 

This data-driven landscape, however, creates a challenging set of data protection requirements for manufacturers to address. Not just because of the diversity in data processing activities, but also the complexity of their relationships with dealerships and third parties.

Meeting these data protection requirements won’t just ensure compliance, but will also help the industry foster customer trust, drive sustainable growth, and enable further technical innovation. In this blog, we’ll look at the types of data processing taking place in the automotive industry today, the challenges they create, and provide recommendations on how to overcome them.

The infographic below highlights the many different types of data processing taking place within the automotive industry from connected cars to supply chain management.

Manufacturers and Dealership Networks

The relationships between manufacturers and dealerships forms the backbone of the automotive industry, but it also presents somewhat unique data protection challenges.

Dealerships are typically separate legal entities, operating as independent data controllers. These relationships complicate the sharing and onward process of personal data, introducing potential concerns around the customer’s expectations, specifically regarding who (which legal entity) is handling their personal data, how, and importantly, why.

To ensure compliant data sharing, manufacturers must establish clear data-sharing arrangements that define the roles, responsibilities, and obligations of all parties involved. These agreements should address the specific types of data disclosed, permissible uses, and appropriate security measures. For example, customer contact information collected by a dealership will likely be shared with the manufacturer but should only be further processed (for marketing purposes, as an example) if there is a clearly defined lawful basis, such as a clearly established legitimate interest or valid customer consent has been collected.

Transparency is another critical issue. Since dealerships often interact directly with customers, they are increasingly relied upon for ensuring privacy notices are provided at the appropriate time, both their own, and usually that of the vehicle manufacturer too. 

To complicate matters further, dealerships are often working with multiple manufacturers in the same showroom, or at minimum, in different showrooms across the same organisation. It is therefore critical that manufacturers collaborate with dealer networks to create standardised processes for delivering these notices, ensuring consistency and reducing the risk of failing to meet minimum expectations around transparency.

Manufacturers must prioritise accountability by conducting regular data protection audits and compliance checks within the dealership network. Offering dealerships guidance on privacy best practices, including template notices and personal data capture forms, can improve their overall compliance. By leveraging joint training and awareness programs, dealerships can be empowered to uphold the same data protection standards as the manufacturers, ensuring they remain in line with brand guidelines and expectations. 

There is the opposite side of the coin that manufacturers must also consider when it comes to obligations they share or require from dealerships, given that they are a separate legal entity and data controller. For example, a manufacturer is likely to want to ensure that dealership staff have received appropriate training on Data Protection. However, the dealership also has an obligation (as a Data Controller) to provide training to all staff, so balancing how the manufacturer's and dealership's interests meet in the middle is not always straightforward.

The rapid pace of technology-driven innovation in the automotive industry has introduced its own compliance challenges. While it drives progress, it often leaves data protection considerations as an afterthought.

This is particularly true when manufacturers race to deploy new features or services to maintain a competitive edge in the marketplace. To address this, it is critical that organisations embed data protection principles into their change management processes.

Privacy by design and default must be a foundation of product development, requiring cross-functional collaboration to identify data protection risks from the outset, giving ample opportunity to implement appropriate safeguards and mitigations. Regular training for engineers, designers, software developers, product and project managers can reinforce the importance of these principles.

Technology advancements, particularly the rise of connected cars, have also escalated data collection. Vehicles now routinely capture sensitive information such as geo-location, driving behaviours, and even biometric data such as facial and speech recognition.

This level of data collection increases the potential impact of data breaches and misuse. Manufacturers should conduct comprehensive Data Protection Impact Assessments (DPIAs) before implementing new technologies, to ensure data processing is lawful, proportionate and necessary. A well-defined DPIA process can be critical in identifying potential risks and mitigations to prevent any future harm to individuals’ whose personal data is processed.

Typical mitigation approaches include adopting robust encryption, secure data storage solutions, and anonymisation or pseudonymisation techniques to assist in protecting the confidentiality of sensitive personal data.

Another significant challenge arises from single entities owning multiple brands. For example, Volkswagen Group (owning brands such as Volkswagen, Audi, Porsche, Bentley, Bugatti, Lamborghini, SEAT, and Škoda) and Toyota Motor Corporation (owning Toyota, Lexus, and Daihatsu). Each brand targets different customer demographics, from mass-market vehicles to luxury and performance.

Brands owned by the same group often target distinct customer segments, which complicates marketing efforts and consent management. To ensure a compliant approach to direct marketing activity, manufacturers may be required to implement granular consent mechanisms that enable customers and prospects to select preferences for individual brands and types of communication.

A segmented approach helps to ensure compliance with data protection laws (particularly those relating to direct marketing, such as the Privacy and Electronic Communications Regulations (PECR), in the UK) while developing customer trust through tailored marketing communications that align with their needs and expectations. 

Sharing data with third parties, such as roadside assistance providers, insurance companies, financial services companies, and software vendors, introduces additional complexity. These partnerships are essential for providing value-added services but require manufacturers to ensure that suppliers can demonstrate their own robust approach to data protection.

This can be achieved, and risks subsequently mitigated, through establishing detailed data processing agreements, performing regular due diligence, and auditing third-party compliance. Furthermore, when local entities share data with parent companies across multiple jurisdictions, standardised data-sharing frameworks, such as intra group agreements, can help maintain compliance with international data transfer requirements. 

The automotive industry is one of a few industries that also has a unique challenge when sharing data with law enforcement agencies, such as the Police and the National Crime Agency. When vehicles are stolen, or used in a crime, law enforcement agencies will often request data from the vehicle manufacturer and/ or dealership on who the registered owner or driver of the vehicle is.

In some cases, they will ask for further information available through connected car data, such as geolocation, and speed of the vehicle at a point in time. Manufacturers and dealerships must ensure that they have appropriate processes in place to recognise and manage requests.

Timescales for responding to requests, particularly when related to serious crimes, are tight and therefore, having access to the data, and formalised procedures to securely share that data quickly is critical. Importantly, manufacturers and dealerships must still be able to justify the sharing of data and demonstrate that they are doing so in compliance with law. Therefore, having a defined lawful basis, understanding the purpose of the request and not sharing more data than is necessary or has been requested, is essential. 

The high rate of staff turnover in the automotive sector intensifies the challenge of building a strong data protection culture. Without consistent education, new employees may inadvertently undermine compliance efforts.

To counter this, manufacturers should develop continuous training and awareness programmes tailored to different roles. This training should be delivered to all new joiners and refreshed annually for existing staff. For example, sales staff should focus on understanding data capture requirements, while marketing teams require advanced training on the dos and don’ts of lawful direct marketing practices, including use of email, telephone, SMS, social media and cookies / similar technologies.

Meanwhile, customer service teams are most likely to require advanced training on identification and handling of data subject rights request. Interactive and scenario-based learning can enhance engagement and retention.