What’s GDPR?

The General Data Protection Regulation (GDPR) is a new regulation introduced by the European Parliament to strengthen and unify data protection for all individuals within the EU.  The regulations aim is to harmonise data protection across all member states.  It will supersede the UK Data Protection Act 1998.  A new Data Protection Act 2018 will sit alongside the GDPR.

What does it mean?

GDPR will give people more rights regarding how their data is collected, stored, used and how organisations contact them.

Who is in Scope?

Firms that are processing EU citizen personal data for consumers and employees with effect from the 25th May 2018.

What if a firm does not comply?

Firms can be fined up to 4% of their annual global turnover, or €20 million, for non-compliance.

Information for Motor Dealers

Is MotoNovo Finance a Data Controller or a Data Processor?

MotoNovo is a data controller and data processor at the same time for the data for which it is responsible.

Are Motor Dealers a Data Controller or a Data Processor?

Motor Dealers are data controllers for the data they hold in their own right, such as for their customer’s personal information when buying a vehicle, and for proposal data gathered by the motor dealer in the course of submitting a finance proposal to a finance company.

Motor Dealers are data processors for the data they hold as controller and for data they process for other parties, such as when a finance company asks the motor dealer to obtain additional information in respect of a finance proposal.

Where is Customer Data stored?

MotoNovo Finance stores personal information on our secure servers in our Newport Data Centre in an encrypted format.

Who has access to Customer Data?

Data is transferred outside the EEA in relation to certain functions, such as for anti-money laundering and terrorist financing screening; to our partner insurers to process insurance policy data; to our proposal application solution providers; to our securitisation partners for funding purposes and to credit reference agencies.

How long do we hold Customer Data?

MotoNovo will hold and process personal data as necessary to carry out our activities as a lender in the performance of a contract with the customer.   We will delete data when it is no longer necessary to hold it for our lawful purpose.

How is personal data protected?

MotoNovo’s access control rules are built based on the principle of separation of duties and least privilege.

All personal data stored in our infrastructure environment is encrypted at rest and in transit.

MotoNovo is ISO27001 compliant and takes customer data security with the utmost importance as our customers rely on us to process their data securely.  We are audited internally and externally annually, with penetration testing re-assessed, to ensure our information security management systems are compliant.

What are we doing regarding consumer rights?

The right to be informed

All applicants for finance will be provided with a summary online screen giving an overview of how MotoNovo will process their data. This will include a link to the full fair processing notice, which will give a detailed breakdown of how we will process their data, including a summary of the individual’s rights.

Motor Dealers will be required to supply a fair processing notice to their customers, detailing how they will hold and process the customer’s data at the earliest point in the customer relationship.

The right to erasure

MotoNovo will automatically delete customer data when there is no longer a lawful purpose to hold the data.  An individual has the right to request erasure (commonly referred to as the “right to be forgotten”). This right only applies where data is held longer that the lawful purpose.

The right of access

Individuals have the right to request a copy of all their computer-based and paper data and a firm has 30 days to supply the data. This is free of charge.  MotoNovo will provide the data in line with regulatory requirements.

The right to rectification

Where data is incorrect, we will correct it within one month.

The right to object to processing or restrict processing

An individual can request that a firm stops processing their personal data. This would be where the data is incorrect or outside the lawful purpose of holding and processing the data.

The right to intervention in an automated decision

Individuals have the right to request that the underwriting decision made by automated means, such as by a scorecard rule-set, is reviewed by a person.  They have 21 days to make the request and then MotoNovo would have another 21 days to respond.

The right to opt out of receiving marketing information

We will market our customers on the basis of our legitimate interest to let customers know about similar products and services that we offer, giving customers the right to opt-out of receiving this information.

The right to data portability

The data subject’s right to data portability includes the right to receive a copy of the personal data from us in a commonly used and machine-readable format, so that the customer can store it for further personal use on a private device thus giving the customer the ability to transmit their personal data to another service provider.  As an example, providing an individual with .pdf versions would not be machine readable format.

We will provide the personal data within one month of receiving the request.

Are we updating our dealer / supplier contracts?

Yes, we have been busy updating these and will remain fully compliant with the GDPR.  You will be receiving an update to your contract shortly.  Also, our internal policies and procedures will be in line with GDPR by the 25th May 2018.

What changes are we making to our platform?

The major changes we will be making are to make sure all our online services are compliant with GDPR in that customers are fully informed of what will happen to their data.  Our system changes will inform individuals of their rights, and choices for marketing preferences.

We are building functionality to automate the data deletion process.  This will mean that when the lawful purpose for retaining an individual’s data has expired, we will erase that data held automatically.

What changes impact you?

Contractual: Our legal team has been busy updating existing contracts to include the GDPR specific data processing provisions.

Don’t forget……..

All this may look scary, but actually it’s designed to give individuals control over who holds their data, for what purpose that data is used and that it is deleted when there is no legitimate need for firms to keep hold of customer data.  After all, we are all customers too.

motonovo finance logo
©2018 MotoNovo Finance.

MotoNovo Finance, a division of FirstRand Bank Limited (London Branch). Registered in England (Branch Reg. No: BR010027) at Austin Friars House, 2-6 Austin Friars, London, EC2N 2HD. FirstRand Bank Limited is authorised and regulated by the South African Reserve Bank. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. FirstRand Bank Limited (London Branch) is a branch of FirstRand Bank Limited, a public limited company registered with the Companies and Intellectual Property Commission in South Africa (Reg. No. 1929/001225/06) Head office: 4 Merchant Place, Corner Fredman Drive and Rivonia Road, Sandton 2196, South Africa