What Does the GDPR Have to Do with Car OEMs?

5 Insights for a smooth regulatory ride

Chances are that you’re running into the acronym GDPR more and more. But unless you’re a seasoned lawyer or European bureaucrat, it remains one of those buzzwords you’re supposed to know about but are probably still not sure what it means or how it applies to your business. Don’t worry, that’s why we wrote this post.

What is the GDPR?

The General Data Protection Regulation (GDPR), coming into force in May 2018, is all about providing stronger protection to personal data. Although this new regulatory requirement only applies to EU citizens, it will also affect companies that operate from outside the EU if they offer goods or services to EU residents or monitor the behavior of EU residents.

While the GDPR introduces new individual rights, such as consent to data collection and processing, access and request for deletion, it also presents new requirements, such as reporting data breaches within 72 hours of detection, mandatory privacy impact assessments, and appointing a Data Protection Officer.

This legislation will also have bite: The consequences of breaching this data protection law sets the maximum fine for a single breach at the greater of €20 million or 4% of the company’s annual global turnover.

How is the GDPR relevant to connected cars?

Data is the name of the game. The majority of new cars come with a variety of Internet connected features, which collect, use, and share vast amounts of data about the car. It is estimated that by 2020 a single car will produce 30 terabytes of information daily.

The range of data collected includes diagnostics (e.g. speed, tire pressure, fuel economy, engine temperature), event data recorders (e.g. navigation and distances from other cars, connection to emergency services), infotainment systems, as well as embedded SIM cards.

Since the GDPR is all about personal data, information that can be used to identify a person falls under its scope. With all the data collected by cars, identifying the driver (and even the passengers) is possible.

Furthermore, under this regulatory framework, sensitive personal data will require the express consent by users in order to be collected. This is likely to include biometric data (such as voice or fingerprint recognition), behavioral data (such as driving patterns, speed, acceleration, or vehicle stability), or personally identifiable information (such as a name, phone number, or username and password).

How does this apply to OEMs?

The GDPR examines the control over the personal data, rather than its possession, creating two types of roles that affect the extent of responsibilities. Data controllers are companies that determine the purpose for which or the way in which personal information is processed. Data processors are companies that process personal information on behalf of the data controller (making both categories apply to some companies who both handle and process information).

Since automotive OEMs control the data accessed and used by services providers, such as insurance companies and garages, they fall under the category of Data Controllers and are subject to increased compliance obligations, including being directly responsible for implementing appropriate security measures.

Are OEM’s obligations just about reporting?

No. The GDPR goes beyond data reporting around vehicle IT to promote security by paying attention to the implementation of privacy by design and privacy by default. These are requirements for companies to design systems with data protection in mind (e.g. amount of information collected, the extent of processing, storage period and accessibility).

This will be relevant to OEMs who will be expected to design products and services with privacy and security in mind, such as encryption and hacking tests, especially when the data generated is individualized.

Moreover, as connected cars become more complex and their internal components become centrally coordinated, it is becoming even more important to design resilient security networks and increase the preparedness of cybersecurity teams to respond to a breach. The risks of OEMs not meeting compliance or privacy strategy requirements go beyond the high fines to reputational damage and customer alienation.

How can Upstream  help OEMs comply with the GDPR?

The GDPR will require OEMs to apply effective security measures to protect the data they collect and process. This includes the need to effectively handle data loss, privacy leak and fraud attempts, as well as set up crisis management and reporting procedures to the authorities and affected individuals.

Upstream’s solution acts as an in-house “police officer” that provides real-time visibility on the status and functions of the vehicles by alerting about a range of events: security, privacy, fraud, and malfunction. This enables the integration of risk assessments and mitigation plans into the OEM’s overall operations, boosting data privacy protection.

To learn more about Upstream’s innovative solutions