What is the GDPR?
- The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK.
- It places greater obligations on how organisations handle personal data.
- It comes into effect on 25th May 2018.
What information does the GDPR apply to?
- The GDPR applies to ‘personal data’.
- Personal Data is any information relating to a living person who can be used to directly or indirectly identify them.
- Examples include: contact information; financial records and internet search history.
How does the GDPR affect individuals?
- The GDPR gives people more say over what companies can do with their data.
- From 25th May 2018, companies must ensure personal data is processed lawfully, transparently, and for a specific purpose.
- Once that purpose is fulfilled and the data is no longer required, it should be deleted.
- These regulations will make companies more accountable in order to protect the type of information you (as a customer) will supply.
- As an individual, you can control, within reason, how your data is used.
Who are the ICO?
- The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- They will make companies accountable with enforcement and fines they have carried out to ensure organisations meet their information rights obligations.
- You can report any concerns you may have to the ICO, read up on the rules and various legislative requirements and learn about the ICO’s enforcement news.
Where can I find more on the ICO?
- For more information you can visit the ICO’s website at https://ico.org.uk/.
Will the GDPR affect my rights?
- Only for the better, see below, as the GDPR gives you enhanced rights since the Data Protection Act.
1) Right to Erasure.
- We have a legitimate interest in keeping customer data for a certain amount of time. This time is set by law.
- MotoNovo keeps the information for 6 years after the agreement is settled for legal reasons.
- If there is no legal reason to keep the data (for example; once the agreement is fulfilled) then there is no legal reason why MNF has to keep the data.
- We will be bringing in an automated data-purging tool which will enable us to do this more efficiently, however, should a customer have any concerns, then they can contact Customer Services to find out more.
2) Right of Access.
- The Right of Access is the same as a Data Subject Access Request (DSAR) which is an existing right under the Data Protection Act.
- Under the new GDPR, from May 25th 2018, customers can have access to this data for free, whereas previously there was a £10 charge.
- MotoNovo will have a month to produce this information.
- If there is an excessive amount of information to produce, then MotoNovo will inform the customer of how long this will take.
The law says we have to give you this information within one month, unless the request is rather excessive and we have to go digging for it, in which case we may take a little longer, and we may levy a charge of £10, but we will contact you to tell you this if this happens. Just give us a call, or emailing us would be better, not least because it would be cheaper for you, but we can verify who you are so that we give only your information to you and not anyone else.
3) Right to be Informed.
- MotoNovo and all organisations must be completely transparent with how we use personal data.
- We tell our customers this information via our Fair Processing Notice (FPN), which has been updated to ensure transparency.
- Our FPN outlines the following:
- MNF will tell customers what we will do with the information they provide us with when they apply.
- We will also advise our customers of what we share and process and with whom we do this with, such as a credit reference agency.
- We will also tell them how we will use the information that we collect from them and for what purpose.
4) Right to Portability.
- Customers can request the information that they have given to MNF, (for example; name and contact information) and use it to take somewhere else, or across different services.
- It means customers can take and reuse their own data, rather than providing it all over again.
- This needs to be supplied to the customer within one month of the request.
5) Right to Rectification.
- Customers have always had the right to let us know if there is anything wrong about their personal data, so this hasn’t changed under GDPR.
- Customers can rectify their contact information either via My MotoNovo or by contacting Customer Services.
6) Right to Restrict Processing.
Customers can ask us to stop processing their data if:
- They believe the information we hold about them is inaccurate,
- If they believe our processing is unlawful,
- If we no longer need to process your personal data
- If the above is applicable, we can still continue to store personal data, but can only process it with the customer’s consent, and we would contact the customer for this consent.
Are you GDPR ready?
What steps do I need to take to ensure we’re ready for GDPR in my business?
The ICO has created a useful guide for businesses to use when considering their GDPR readiness. You can find that here.
We’ve also pulled together some FAQs below which may help you with getting ready for GDPR, specifically when dealing with Customers who have MotoNovo Finance Agreements:
1. Data Controllers v Data Processors
What is a Data Controller?
The legal definition:
A Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- A Data Controller is the person or company who determines the purpose and means of the processing of personal data. The controller can act alone or jointly with others.
- MotoNovo Finance is a controller of personal data that we receive from a dealership or broker.
- As a dealer, collecting personal data from a customer in order to apply for their finance agreement, you would also be a Data Controller.
- When you submit the data into Nexus 2, Quote and Propose or any other point of sale system you might use, you then become a Data Processor.
What is a Data Processor?
Legal Definition: “[A] natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller”
- MotoNovo uses the data we hold about a Customer for credit referencing purposes. This becomes ‘processed’ data.
- Therefore, MotoNovo Finance will be a controller and a processor of a customer’s personal data.
What is classed as Marketing?
- Marketing is the action or business of promoting and selling products or services, including market research and advertising.
Why does MotoNovo ask customers if they want to Opt Out of Marketing?
Can customers ‘opt out’ of Marketing completely?
What are a customer’s Marketing options?
- A customer’s right under the GDPR is that they have more control over your marketing preferences on how they would like to be marketed, if at all.
- Customers who have an existing agreement with us will have already “opted in” to Marketing.
- They can change these preferences on My MotoNovo or by contacting MotoNovo Customer Services (albeit by email or phone).
- Marketing preferences are also covered under the Privacy Electronic Communications Regulation (PECR) which you can find out more about here: https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
How is a Customer’s information used for Marketing Purposes?
- We only market to Customers with any new products and/or services that we currently have.
- We use the customer’s information to send them the marketing material. How this will be done will depend on the preferences they have chosen (e.g email or letter).
What is PECR?
- The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act & General Data Protection Regulations.
- They give individuals specific privacy rights in relation to electronic communications (such as marketing calls, emails, texts and faxes; cookies and similar technologies).
- You can access more information on PECR on the ICO’s website: https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/#1
3. Data Protection Impact Assessment (DPIA)
What is a DPIA?
- Privacy impact assessments (PIAs) are a tool that you can use to identify and reduce the privacy risks within the ways that you do business.
- A PIA can reduce the risks of harm to individuals through the misuse of their personal information.
- It can also help you to design more efficient and effective processes for handling personal data.
- You can integrate the core principles of the PIA process with your existing policies.
- This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout your business.
What is a Personal Data Breach?
- A personal data breach means a breach of personal information security.
- This may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
What happens if I become aware of a Personal Data Breach?
- You may be made aware of a Personal Data Breach either through your own internal checks or by a customer.
- These could be caused by theft, human error or technology errors etc.
- The ICO website can provide you with what your responsibilities are in that situation: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
5) Data Protection Officer (DPO)
What is a DPO?
- A Data Protection Officer is an expert in data protection who can assist in monitoring internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
- A DPO can be an existing employee or externally appointed.
- The DPO must be adequately resourced, and report to the highest management level.
Do I need a DPO?
A private body or organisation, does not have to appoint a DPO if:
- It’s main activities only ever involve monitoring data subjects and with little infringement on those data subjects’ rights.
- It does not process special category personal information at all.
- It is only processing the special category personal information of a small group of data subjects.
However, the guidelines of the Article 29 Working Party on Data Protection recommends that, unless it is obvious organisations don’t need to appoint a DPO, they should keep records of their decision making process.
Questions that your Customers may ask you about us:
My customer has questions around how you will use their information. What should I tell them?
- How we will use their information will be included in the Fair Processing Notice (FPN) given to them when signing up to their agreement.
- They can also access our FPN on our website.
- They can update marketing preferences and contact information in MyMotoNovo
- They can contact Customer Services via email, post or phone for more specific information https://www.motonovofinance.com/customer-site/contact-us/
©2018 MotoNovo Finance.
MotoNovo Finance, a division of FirstRand Bank Limited (London Branch). Registered in England (Branch Reg. No: BR010027) at Austin Friars House, 2-6 Austin Friars, London, EC2N 2HD. FirstRand Bank Limited is authorised and regulated by the South African Reserve Bank. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. FirstRand Bank Limited (London Branch) is a branch of FirstRand Bank Limited, a public limited company registered with the Companies and Intellectual Property Commission in South Africa (Reg. No. 1929/001225/06) Head office: 4 Merchant Place, Corner Fredman Drive and Rivonia Road, Sandton 2196, South Africa