What Does the GDPR Have to Do with Car OEMs?

ODED YARKONI

VP Innovation

July 10, 2017

5 Insights for a smooth regulatory ride

Chances are that you’re running into the acronym GDPR more and more. But unless you’re a seasoned lawyer or European bureaucrat, it remains one of those buzzwords you’re supposed to know about but are probably still not sure what it means or how it applies to your business. Don’t worry, that’s why we wrote this post.

What is the GDPR?

The General Data Protection Regulation (GDPR), coming into force in May 2018, is all about providing stronger protection to personal data. Although this new regulatory requirement only applies to EU citizens, it will also affect companies that operate from outside the EU if they offer goods or services to EU residents or monitor the behavior of EU residents.

While the GDPR introduces new individual rights, such as consent to data collection and processing, access and request for deletion, it also presents new requirements, such as reporting data breaches within 72 hours of detection, mandatory privacy impact assessments, and appointing a Data Protection Officer.

This legislation will also have bite: The consequences of breaching this data protection law sets the maximum fine for a single breach at the greater of €20 million or 4% of the company’s annual global turnover.

How is the GDPR relevant to connected cars?

Data is the name of the game. The majority of new cars come with a variety of Internet connected features, which collect, use, and share vast amounts of data about the car. It is estimated that by 2020 a single car will produce 30 terabytes of information daily.

The range of data collected includes diagnostics (e.g. speed, tire pressure, fuel economy, engine temperature), event data recorders (e.g. navigation and distances from other cars, connection to emergency services), infotainment systems, as well as embedded SIM cards.

Since the GDPR is all about personal data, information that can be used to identify a person falls under its scope. With all the data collected by cars, identifying the driver (and even the passengers) is possible.

Furthermore, under this regulatory framework, sensitive personal data will require the express consent by users in order to be collected. This is likely to include biometric data (such as voice or fingerprint recognition), behavioral data (such as driving patterns, speed, acceleration, or vehicle stability), or personally identifiable information (such as a name, phone number, or username and password).

How does this apply to OEMs?

The GDPR examines the control over the personal data, rather than its possession, creating two types of roles that affect the extent of responsibilities. Data controllers are companies that determine the purpose for which or the way in which personal information is processed. Data processors are companies that process personal information on behalf of the data controller (making both categories apply to some companies who both handle and process information).

Since automotive OEMs control the data accessed and used by services providers, such as insurance companies and garages, they fall under the category of Data Controllers and are subject to increased compliance obligations, including being directly responsible for implementing appropriate security measures.

Are OEM’s obligations just about reporting?

No. The GDPR goes beyond data reporting around vehicle IT to promote security by paying attention to the implementation of privacy by design and privacy by default. These are requirements for companies to design systems with data protection in mind (e.g. amount of information collected, the extent of processing, storage period and accessibility).

This will be relevant to OEMs who will be expected to design products and services with privacy and security in mind, such as encryption and hacking tests, especially when the data generated is individualized.

Moreover, as connected cars become more complex and their internal components become centrally coordinated, it is becoming even more important to design resilient security networks and increase the preparedness of cybersecurity teams to respond to a breach. The risks of OEMs not meeting compliance or privacy strategy requirements go beyond the high fines to reputational damage and customer alienation.

How can Upstream  help OEMs comply with the GDPR?

The GDPR will require OEMs to apply effective security measures to protect the data they collect and process. This includes the need to effectively handle data loss, privacy leak and fraud attempts, as well as set up crisis management and reporting procedures to the authorities and affected individuals.

Upstream’s solution acts as an in-house “police officer” that provides real-time visibility on the status and functions of the vehicles by alerting about a range of events: security, privacy, fraud, and malfunction. This enables the integration of risk assessments and mitigation plans into the OEM’s overall operations, boosting data privacy protection.

To learn more about Upstream’s innovative solutions

Request AutoThreat access today
AutoThreat Intelligence

Get Ahead of Connected Vehicle Cyber Threats

Read more
Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Behind the Wheel of a Data Breach: The Power of Contextual API Security for Connected Vehicles

In late December 2024, one of largest global OEMs became the center of attention due to a significant data breach impacting over 800,000 customers across…

Read more

Proactive Detection of After-sales Vehicle Quality Defects: Insights from Recent Recalls

Recent recalls in the automotive industry underscore the importance of connected vehicle data in identifying and addressing potential safety issues before they escalate. OEMs can…

Read more

Redefining Quality in the Connected Vehicle Era: Upstream and Gary Silberg Join Forces

We are excited to announce another great industry thought leader joining our journey. Gary Silberg, an automotive executive and former Global Head of Automotive at…

Read more

Leveraging Cohort Analysis for Fleet-Wide Anomaly Detection in Automotive Cybersecurity

As connected vehicles increasingly dominate the automotive landscape, cybersecurity risks have expanded from isolated, experimental attacks to large-scale threats targeting entire fleets. The stakes have…

Read more
Skip to content