What Does the GDPR Have to Do with Car OEMs?

ODED YARKONI

VP Innovation

July 10, 2017

5 Insights for a smooth regulatory ride

Chances are that you’re running into the acronym GDPR more and more. But unless you’re a seasoned lawyer or European bureaucrat, it remains one of those buzzwords you’re supposed to know about but are probably still not sure what it means or how it applies to your business. Don’t worry, that’s why we wrote this post.

What is the GDPR?

The General Data Protection Regulation (GDPR), coming into force in May 2018, is all about providing stronger protection to personal data. Although this new regulatory requirement only applies to EU citizens, it will also affect companies that operate from outside the EU if they offer goods or services to EU residents or monitor the behavior of EU residents.

While the GDPR introduces new individual rights, such as consent to data collection and processing, access and request for deletion, it also presents new requirements, such as reporting data breaches within 72 hours of detection, mandatory privacy impact assessments, and appointing a Data Protection Officer.

This legislation will also have bite: The consequences of breaching this data protection law sets the maximum fine for a single breach at the greater of €20 million or 4% of the company’s annual global turnover.

How is the GDPR relevant to connected cars?

Data is the name of the game. The majority of new cars come with a variety of Internet connected features, which collect, use, and share vast amounts of data about the car. It is estimated that by 2020 a single car will produce 30 terabytes of information daily.

The range of data collected includes diagnostics (e.g. speed, tire pressure, fuel economy, engine temperature), event data recorders (e.g. navigation and distances from other cars, connection to emergency services), infotainment systems, as well as embedded SIM cards.

Since the GDPR is all about personal data, information that can be used to identify a person falls under its scope. With all the data collected by cars, identifying the driver (and even the passengers) is possible.

Furthermore, under this regulatory framework, sensitive personal data will require the express consent by users in order to be collected. This is likely to include biometric data (such as voice or fingerprint recognition), behavioral data (such as driving patterns, speed, acceleration, or vehicle stability), or personally identifiable information (such as a name, phone number, or username and password).

How does this apply to OEMs?

The GDPR examines the control over the personal data, rather than its possession, creating two types of roles that affect the extent of responsibilities. Data controllers are companies that determine the purpose for which or the way in which personal information is processed. Data processors are companies that process personal information on behalf of the data controller (making both categories apply to some companies who both handle and process information).

Since automotive OEMs control the data accessed and used by services providers, such as insurance companies and garages, they fall under the category of Data Controllers and are subject to increased compliance obligations, including being directly responsible for implementing appropriate security measures.

Are OEM’s obligations just about reporting?

No. The GDPR goes beyond data reporting around vehicle IT to promote security by paying attention to the implementation of privacy by design and privacy by default. These are requirements for companies to design systems with data protection in mind (e.g. amount of information collected, the extent of processing, storage period and accessibility).

This will be relevant to OEMs who will be expected to design products and services with privacy and security in mind, such as encryption and hacking tests, especially when the data generated is individualized.

Moreover, as connected cars become more complex and their internal components become centrally coordinated, it is becoming even more important to design resilient security networks and increase the preparedness of cybersecurity teams to respond to a breach. The risks of OEMs not meeting compliance or privacy strategy requirements go beyond the high fines to reputational damage and customer alienation.

How can Upstream  help OEMs comply with the GDPR?

The GDPR will require OEMs to apply effective security measures to protect the data they collect and process. This includes the need to effectively handle data loss, privacy leak and fraud attempts, as well as set up crisis management and reporting procedures to the authorities and affected individuals.

Upstream’s solution acts as an in-house “police officer” that provides real-time visibility on the status and functions of the vehicles by alerting about a range of events: security, privacy, fraud, and malfunction. This enables the integration of risk assessments and mitigation plans into the OEM’s overall operations, boosting data privacy protection.

To learn more about Upstream’s innovative solutions

Request AutoThreat access today
AutoThreat Intelligence

Get Ahead of Connected Vehicle Cyber Threats

Read more
Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

The GenAI Arms Race is Here

Listen to this blog Your browser does not support the audio element. The Automotive and Smart Mobility Ecosystem is entering a new era of GenAI,…

Read more

Upstream Participates in TISAX, Accelerating Customer Onboarding & Ensuring Data Protection

Listen to this blog Your browser does not support the audio element. In the fast-evolving landscape of the automotive industry, ensuring robust information security practices…

Read more

Revving Up Safety: UN Regulation R155 Now Covers Motorcycles

Listen to this blog Your browser does not support the audio element. On Jan. 26, the UNECE decided to include motorcycles, scooters, and electric bicycles…

Read more

NIS2 Directive’s Impact on the Smart Mobility Ecosystem

Listen to this blog Your browser does not support the audio element. The NIS2 Directive, expected to become mandatory in October 2024, aims to significantly…

Read more