In just nine months -- May of 2018 -- the EU's new General Data Protection Regulation (GDPR) goes into effect and many car-related companies, like those in other industries, may not be ready for this substantial overhaul of data protection laws.
Software and data increasingly help define today's vehicles and will certainly drive the industry when autonomous cars arrive in large numbers in the future, so new regulations like the GDPR matter. Just consider the fact that the law's new consent rules, broadened European privacy rights, and call for stricter procedures and public disclosure requirements. In cases of data breaches, they can translate to enormous fines of up to billions of euros for those not in compliance. For the most serious data breaches, the fines can be the equivalent of 4% of a company's annual (global) turnover.
Yet too many companies aren't paying attention. An IDC Research survey revealed that three-quarters of small- and medium-sized operations in Europe were either not aware or unsure of the impact of the new rules. Cars today include software, networks and use data and analytics so the GDPR should be top of mind.
This all comes during a positive time for the car industry in Europe, with sales up to a nine-year high, or 6.5%, with 15.1 million new vehicles being sold in the region's key markets in 2016. The data produced by cars and data driven services such as infotainment are important competitive and represent the early stages of new revenue streams for car companies. However, potential security issues can pop up involving the applications which could allow a user's car to be hacked or personal data to be compromised, causing breaches of GDPR.
The GDPR also includes a data erasure element, meaning that personal data must be removed and never disseminated. Technology and data models need to fully consider how to digitally hunt down and remove personal data, photos and videos wherever they might reside within a car and the far-flung networks the vehicle uses.
So what should auto companies and the many other services and businesses in this industry do to ensure compliance with GDPR? A few key steps can make a difference:
1. Make a well-reasoned location choice
Firms doing business in Europe can avail of a “one-stop-shop” compliance framework in which data companies will be regulated in the first instance by the supervisory authority in the country where they have their "main establishment." In that country where the data controller has his/her central administration, the decisions on the purpose and means of data processing are taken. For example, if a car gathering data located its data establishment in Ireland then this simplifies the approach to Europe's 27 jurisdictions and 600 million people.
2. Learn from the data giants
A critical requirement for such a location should be a powerful, proven track record in managing complex data oriented business. Ireland has emerged as a data and business hub in Europe for leading data companies such as Facebook, Yahoo!, Google, LinkedIn and others. Great thought went into the location decision for these data giants, who searched for countries with a well-educated workforce that has technology expertise, business-friendly government policies such as openness to immigration and other advantages.
3. Is there an existing data security regime?
Given the provisions within the GDPR promoting accountability and governance, countries that already take data seriously have a big edge. One way of determining this is whether the country has already well established and tested rules and regulations related to data protection in place -- ideally, under the control of a skilled, effective, independent regulator and with a strong body of knowledge in industry. A firm but consultative approach is essential as is access to experienced professional service firms
4. Look for strength in related areas
Countries with a strong track record in areas related to data such as building cloud infrastructures, running successful inside sales operations for data-oriented businesses and strength in the networking arena are key. The latter means designing and building networks that operate with a pan-European model. In the increasingly data-led future, another optimal strength will be attracting the kind of forward-looking companies that make the software and electronic systems being built into cars, such as vision systems, chips for safety and navigation controls, autonomous driving systems and more.
5. Consider the future
The GDPR will mean that auto industry companies need to make corporate investment to plan for the new rules. Companies need to factor in where the auto industry is going in the march toward autonomous vehicles at the same time they're choosing the best operating location to comply with the new rulings. It's all about data, whether it's used for mapping, analysis of driving patterns, the all-important issue of safety or data as the foundation of lucrative new services.
What this means is that software and technology represent the future much more than manufacturing so the proper gathering, sending, analyzing and storing of data should be the focus areas for companies in the automotive industry. Considering that, it's not so surprising that the EU has created its strict new regulations to protect its citizens against the misuse of personal information. The most forward-thinking companies will see the rulings as advantageous, with better access to consolidated, cleaner data that can lead to fewer security breaches and happier customers through improved service in a more customer-centric world.
Edited by
Ken Briodagh
