What Does the GDPR Have to Do with Car OEMs?


VP Innovation

July 10, 2017

5 Insights for a smooth regulatory ride

Chances are that you’re running into the acronym GDPR more and more. But unless you’re a seasoned lawyer or European bureaucrat, it remains one of those buzzwords you’re supposed to know about but are probably still not sure what it means or how it applies to your business. Don’t worry, that’s why we wrote this post.

What is the GDPR?

The General Data Protection Regulation (GDPR), coming into force in May 2018, is all about providing stronger protection to personal data. Although this new regulatory requirement only applies to EU citizens, it will also affect companies that operate from outside the EU if they offer goods or services to EU residents or monitor the behavior of EU residents.

While the GDPR introduces new individual rights, such as consent to data collection and processing, access and request for deletion, it also presents new requirements, such as reporting data breaches within 72 hours of detection, mandatory privacy impact assessments, and appointing a Data Protection Officer.

This legislation will also have bite: The consequences of breaching this data protection law sets the maximum fine for a single breach at the greater of €20 million or 4% of the company’s annual global turnover.

How is the GDPR relevant to connected cars?

Data is the name of the game. The majority of new cars come with a variety of Internet connected features, which collect, use, and share vast amounts of data about the car. It is estimated that by 2020 a single car will produce 30 terabytes of information daily.

The range of data collected includes diagnostics (e.g. speed, tire pressure, fuel economy, engine temperature), event data recorders (e.g. navigation and distances from other cars, connection to emergency services), infotainment systems, as well as embedded SIM cards.

Since the GDPR is all about personal data, information that can be used to identify a person falls under its scope. With all the data collected by cars, identifying the driver (and even the passengers) is possible.

Furthermore, under this regulatory framework, sensitive personal data will require the express consent by users in order to be collected. This is likely to include biometric data (such as voice or fingerprint recognition), behavioral data (such as driving patterns, speed, acceleration, or vehicle stability), or personally identifiable information (such as a name, phone number, or username and password).

How does this apply to OEMs?

The GDPR examines the control over the personal data, rather than its possession, creating two types of roles that affect the extent of responsibilities. Data controllers are companies that determine the purpose for which or the way in which personal information is processed. Data processors are companies that process personal information on behalf of the data controller (making both categories apply to some companies who both handle and process information).

Since automotive OEMs control the data accessed and used by services providers, such as insurance companies and garages, they fall under the category of Data Controllers and are subject to increased compliance obligations, including being directly responsible for implementing appropriate security measures.

Are OEM’s obligations just about reporting?

No. The GDPR goes beyond data reporting around vehicle IT to promote security by paying attention to the implementation of privacy by design and privacy by default. These are requirements for companies to design systems with data protection in mind (e.g. amount of information collected, the extent of processing, storage period and accessibility).

This will be relevant to OEMs who will be expected to design products and services with privacy and security in mind, such as encryption and hacking tests, especially when the data generated is individualized.

Moreover, as connected cars become more complex and their internal components become centrally coordinated, it is becoming even more important to design resilient security networks and increase the preparedness of cybersecurity teams to respond to a breach. The risks of OEMs not meeting compliance or privacy strategy requirements go beyond the high fines to reputational damage and customer alienation.

How can Upstream  help OEMs comply with the GDPR?

The GDPR will require OEMs to apply effective security measures to protect the data they collect and process. This includes the need to effectively handle data loss, privacy leak and fraud attempts, as well as set up crisis management and reporting procedures to the authorities and affected individuals.

Upstream’s solution acts as an in-house “police officer” that provides real-time visibility on the status and functions of the vehicles by alerting about a range of events: security, privacy, fraud, and malfunction. This enables the integration of risk assessments and mitigation plans into the OEM’s overall operations, boosting data privacy protection.

To learn more about Upstream’s innovative solutions

Request AutoThreat access today
AutoThreat Intelligence

Get Ahead of Connected Vehicle Cyber Threats

Read more
Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

7 Key Financial Implications of Automotive Cybersecurity Risks

In June 2023, a leading Taiwan-based semiconductor manufacturer disclosed a cybersecurity incident involving a ransomware group and one of its IT hardware suppliers, which led…

Read more

Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices)…

Read more

Navigating the Evolving Automotive Cybersecurity Regulatory Landscape

The automotive industry’s digital transformation has ushered in an era of unprecedented connectivity and technological advancement. Yet, it is also exposing mobility assets to a…

Read more

With Its Second Milestone Coming Soon, the Impact of UNECE R155 Continues to Expand

The UNECE WP.29 R155 regulation is rapidly evolving, reflecting the automotive industry’s commitment to addressing cybersecurity risks across an increasingly connected and technologically advanced mobility…

Read more