Connected cars and privacy: shifting gear for GDPR?

IN 30 SECONDS

• In the era of the connected car, OEMs need to transform their approach to customer data, address privacy concerns and comply with regulation especially regarding the new GDPR

• These challenges are compounded by rapidly evolving privacy regulations, and the difficulty of changing mindsets within well-established businesses

• We provide six recommendations for vehicle manufacturers to rethink their fundamental approach to privacy and establish it as a core tenet of their businesses

RECOMMENDATIONS

In October 2015, Volvo announced it would accept full liability for its cars when they are driving in autonomous mode (note 8). This move represents a landmark for connected cars, effectively removing one area of concern for consumers as they make purchasing decisions on new cars. Now, OEMs need to make the same leap forward for privacy.
In order to deal with privacy issues in a holistic way that complies with the GDPR, OEMs must address a number of challenges and change their structures to accommodate privacy across the whole business. But where to start?

1. Becoming GDPR compliant

To be ready for the GDPR coming into effect in May 2018 OEMs must start planning and acting now. To begin with, they should review the legislation to understand its implications. As OEMs are still navigating how to best use connected car data for customer and business value, complying with the GDPR adds additional complexity. Establishing the amount of effort required at the beginning to cover the full scope of personal data used across the business is vital to ensuring a successful compliance project.

Carrying out an audit of the personal data an organisation holds and processes is a critical first step to understanding what data is held, where it originated and who it is shared with. Connected Car initiatives have driven OEMs to ask customers to sign a Connected Car Privacy Policy as part of their account set up. These must be reviewed to ensure they are in line with GDPR requirements with particular attention paid to the rights which individuals have. Do policies afford individuals the ability to request the data that is held about them? Can individuals correct their data? Are individuals able to delete their data?

Deletion of data is a particularly thorny issue. For OEMs to provide Connected Car services they are often required to transfer and store data across multiple different platforms and to share data with suppliers. The surfeit of data processors means that OEMs must implement particularly robust processes to allow them to comply with customers’ requests that their data be deleted. Moreover, such requests have to be balanced against requirements to retain data to protect OEMs against litigation.

Another important consideration is whether the current processes ask customers for their consent to be contacted directly based on vehicle diagnostic information and consent for this data to be shared with the dealer network and to receive proactive communications? [RM1] These are only some of the rights which individuals have because of the GDPR.  However, drafting a compliant Privacy Policy is only half the battle – the critical question for organisations is if they have the processes in place to allow individuals to exercise their rights?

Implementing the required processes is essential for organisations to understand their data flows – they can do so through mapping where their data is sent. This will allow them to identify any weaknesses in their data security and IT infrastructure. Once all of this is understood they should draft and prioritise a set of initiatives which will enable them to become GDPR ready.

BMW recently launched CarData, positioning itself at the forefront of GDPR compliance. This new service provides a high level of transparency, security and puts their customers in control of their telematics data. Customers are provided with a summary of the data sent by their vehicle to BMW ConnectedDrive system, and a view of the latest version of their data. They can also request that their data be archived and have the option to share their data with third parties.

2. An executive-level commitment to privacy

Privacy must become an integral part of every OEM’s company vision, and a core component of the company culture. Despite some recent initiatives, this is yet to be the norm industry-wide. The first step in this direction is reaching consensus at board level that privacy must be managed comprehensively, at every stage of connected-car development and beyond. Once this is attained, OEMs will be in a position to begin securing data at every stage of the value loop, within every node of the organisation.

The next step is appointing a data protection officer to the C-suite, who will be responsible for developing a company-wide privacy programme to deliver GDPR compliance to historical data and all future data initiatives. Companies can then implement a privacy committee or centre of excellence, install privacy champions in every department, build training plans for privacy awareness, and run regular privacy audits across the business.

3. A holistic approach to Privacy by Design (PbD)

First conceived in 1995, Privacy by Design (PbD) has shot to prominence in recent years thanks to the advent of bigdata technologies, and their implications for consumer privacy. At the heart of PbD is the idea that privacy should be taken into account throughout the whole engineering process, rather than tacked on at the end. PbD is now widely accepted by regulators around the world as a fundamental aspect of privacy protection and is a key concept in GDPR.

PbD brings many benefits to organisations that adopt it into their engineering processes. First, it engenders increased awareness of privacy issues within businesses. Second, it assists companies in identifying potential privacy issues at an early stage of development. This will help minimise projects being scrapped belatedly as  non-viable from a privacy perspective.

To implement PbD, clear communication channels need to be established – whereby information on current regulations informs the planning of design projects, and an appropriate and structured review process is in place that involves the relevant stakeholders, including product development teams, connected-car teams and legal departments. This approach must also be pragmatic: managing customer expectations over privacy must be weighed against the seamless experience that connected car technologies will provide them with.

Many technology leaders already incorporate PbD into their existing development processes. Facebook’s Chief Privacy Officer claims that the company incorporates PbD principles into every product, feature and update it now builds (note 9). Apple encrypts all outgoing messages from its iPhones without storing the unique encryption key, meaning the company couldn’t hand the keys over to the authorities even if it wanted to (note 10). OEMs must hold themselves to the same standards as these privacy leaders.

4. Rethink and retool legal

Privacy issues demand legal solutions. As well as the traditional duties of negotiating contracts with suppliers and defending their employer from lawsuits, OEM legal teams must become advocates for customer privacy in the new environment of PbD – a drastic change in both culture and scope. Much rides on whether legal teams can resist acting as blockers to bright ideas, and instead act as facilitators of innovation just as they continue to foster privacy awareness.

Nowadays, when a vehicle manufacturer is deciding which new connected services to offer, it is the job of legal to advise on what can be done from a data protection point of view, in addition to what the customer privacy expectations are in that domain. For this to be more effective, legal teams need to become better integrated into the strategy, design, development and engineering phases of connected-car teams. They will also need to learn, speak and teach a new language: privacy. All of this requires that legal professionals possess skill-sets in these areas - presenting a new hiring and training challenge for OEMs.

To that end, vehicle manufacturers should create connected-car data privacy roles that get involved at every stage of the product development and launch process. To supervise this team, there should be a connected-car data protection officer who would report to the company’s new C-level data protection officer. Qualified lawyers with expertise in contracts, data protection and an understanding of the GDPR then need to be brought on board. This team should sit in the connected-car business unit and have a deep understanding of the services being developed. In this way, it should be able to offer targeted legal advice and, most critically, direct and realign development based on regulatory compliance.

5. Keep an eye on changing privacy regulations

The GDPR is just one example of how privacy legislation is evolving, data legislation also changed in Russia in 2016. Even small changes in policy can have immediate and disruptive effects for OEMs. 

To ensure compliance with the GDPR and any legislation which may follow, and therefore mitigate the risk of legal challenges, vehicle manufacturers must extend the remit of existing compliance teams towards data protection and the digital environment. The first role of these new teams should be to monitor regulatory changes worldwide that impact customer data protection, and communicate these changes to the relevant stakeholders before they come into force. The team should then provide instantaneous impact assessment on data regulation compliance for every change, across every country and product. This should help unearth the changes that need to be made, and lead change across the business.

The second role of these teams should be to influence and lobby regulatory bodies to push data privacy in a direction that will benefit the current business strategy of the OEM. These new roles will require different skillsets from the teams managed by the OEM’s Chief Compliance Officer, which will require the recruitment of lawyers expert in data protection, as well as lobbyists and compliance analysts.

OEMs would do well to look at Microsoft as an example of a global company implementing these privacy measures effectively. The company has a ‘global privacy community’ composed of privacy champions, leads and managers, who give advice across the whole business on privacy-related issues. Each business group is responsible for ensuring that it is compliant with corporate privacy requirements, with mechanisms in place to ensure this happens, including training, privacy identification tools, and an escalation response framework (note 11).

6. Make privacy a core tenet of the brand

At the heart of all these privacy issues is the need to design connected-car services in a way that allows customers to exert meaningful control over their personal data, whilst maintaining their enjoyment of the services provided.

This means developing a forthcoming, informative privacy policy and set of terms and conditions for consumers. This is an area where OEMs can learn from best practices: Uber and Facebook, for example, group their privacy settings in easy-to-read modules, and use a multilayered approach. As standard practice in these companies, each privacy setting can be summed up in one sentence but, if customers click through, they have access to extended information. New policy changes are explained clearly to customers in one email, with an opt-in box to click.

A key function of privacy settings already available from leaders and required by GDPR is the ability to easily opt out of the connected-car services, erasing all customer data and details collected, as well as the ability to download all the data that a company has collected from them (note 12). OEMs must now adopt this as standard. But in order to reach the next level of customer engagement when it comes to privacy, OEMs could also consider public awareness campaigns: from infographics to privacy FAQs and videos – anything that enhances the OEM’s profile as a privacy leader will go a long way to boosting the culture of privacy in the organisation.

However, learning from other sectors will only take vehicle manufacturers so far. A mobile phone, for example, typically only has one user over the course of its lifetime, but a car could have multiple users and multiple owners. How can OEMs ensure that every time a person gets in the driving seat, they have accepted the privacy policy for each service? Should the customer assume their data will always remain private unless specifically told otherwise? These are questions to which OEMs must find answers.

KEY TAKEAWAYS

• Connected cars will change the relationship between the vehicle manufacturers and their customers – for the first time, they will communicate around the clock, and directly
• They will also change the nature of the OEM ecosystem – new players will emerge who want access to customer data in return for advanced products and services
• Keeping customer data safe will mean bringing the legal team into a bold new position within the OEM – and this will bring its own challenges of culture and integration
• The key to protecting customer data will be a holistic data privacy strategy – OEMs must integrate privacy into their culture and processes
• Legal teams will need to be completely re-shaped and integrated within connected-car teams in the boardroom, with appointments and policies that acknowledge the importance of protecting the privacy of their customers
• OEMs will need to keep a watchful eye on ever-evolving privacy regulations around the world to ensure their products match international compliance expectations
• Vehicle manufacturers can use privacy by design principles to create a holistic and pragmatic approach to privacy
• Overall, though, privacy must become a core part of the OEM’s brand
• This must translate into a smooth, easy-to-understand experience for the customer