Time is Running Out… is Your Car GDPR Compliant?
Change is the order of the day for the automotive industry. Cars are going solo. Traffic tests of autonomous cars are occurring all over the world, even if scientists differ on whether the technology is ready to be deployed in everyday traffic. However, this concerns mainly safety issues, such as the physical safety of passengers and pedestrians that are still more or less matter of a theory, but other relevant issues, such as data protection and cybersecurity are already relevant.
At this time, an increasing number of cars on the roads are connected to the internet and gathering data on their drivers, surroundings, traffic conditions and many more factors. We are talking about so-called connected cars, which offer owners, drivers and passengers enhanced comfort through the quality enhancement process possible from complex data analysis. Research has shown that some connected cars can collect up to 25 GB of data per hour and approximately 2 GB of this data can be digitally transferred every hour to the original equipment manufacturer (OEM). That is right – in a few days, a single car can produce terabytes of information.
With the approaching date of GDPR’s effectiveness, there are questions to ask. Are these cars GDPR compliant? How can compliance be ensured with the constant state of new developments, high demand and complexity of the automotive industry? What data protection concerns should OEMs focus on regarding their connected cars? Although the Czech Republic is traditionally strong in the automotive industry, these are not yet frequently asked questions when it comes to data protection.
Privacy by design
Privacy by design is GDPR’s answer to all technological fields that require compliance. Research and development are booming in the automotive industry, constant enhancements through new and better technology. Likewise, with growing connectivity, automotive research and development, connected cars are following the path of the computer and cell phone industries. These industries also had to tackle personal data protection issues because of the amount of data gathered. Moreover, experience has shown that it is more efficient to start from scratch when data protection is concerned than to catch up on compliance when the product is already on the shelf or, in the case of a connected car, in a showroom.
Therefore, when developing a new car system, personal data protection compliance should be ensured from day one. Teams of data protection specialists should assess all apps, solutions, and systems, in order to prevent possible breaches or non-compliance leading to hefty administrative fines. Engineers should work alongside compliance specialists and discuss every new solution from the data protection point of view. This way the privacy of data subjects can be secured.
Awareness of customers as data subjects is growing every day and they are no longer indifferent to personal data protection. To this end, transparency is the key. OEMs must ensure that their customers are familiar with what data is collected, for what reasons and on what grounds. Informing customers of their rights regarding data protection can be achieved in various ways. The process typically starts when the purchase agreement for a connected car is signed – contracts for connected cars are usually much more complex than those for ordinary cars, primarily because of the data protection requirements.
Privacy policies should be multilevel, similar to those used by tech giants. They should be easy to read, while including all necessary information data subjects need to make informed decisions. Employees who handle personal data will require additional training and education on compliance with privacy laws to rule out employee contribution to inadvertent breaches.
Transparency should continue from the signing of the purchase agreement throughout the use of the car. Information should be displayed on the car’s main display with every update of the car system. It should also include an opt-out option when the collection of personal data requires the data subject’s consent. The opt-out option should be as easy as possible to understand to ensure the best experience for the data subjects.
Apart from the enhancement of the driving experience, data collected can also create added value for the OEM in the form of big data. Collecting information on driving habits, a multitude of location information, driver and passenger preferences, pedestrians and more, it is not surprising that “overall revenue pool from car data monetization at a global scale might add up to USD 450 – 750 billion by 2030”, according to a report by McKinsey & Company. This is yet another reason for OEMs to ensure compliance because a significant amount of the data collected is personal data. Non-compliance will result in loss of profit in the form of ineffective data monetization, as well as exposure to administrative fines.
GDPR imposes data minimization as one of its key principles. Data minimization is maybe the biggest challenge OEMs have to face in connected car manufacturing. It requires a product designed to collect as much data as possible to only collect personal data deemed necessary and in the smallest amount possible. Impossible? Not necessarily. When privacy by design is observed from the beginning of the manufacturing process and legal instruments, such as privacy policies, are in place, the data minimization principle should certainly not mean the end of connected car.