The General Data Protection Regulation (GDPR) is a European Union law ensuring the protection of individuals with regard to the processing of their personal data and on the free movement of such data. This law is already in effect from 25 May 2018 in all member states of the European Union.
This implies that all the entities (businesses, local governments or other organisations) must be GDPR compliant, if they are responsible for the controlling or processing of EU citizens’ personal data. There are penalties to be levied to the tune of 20 million euro or 4% of the global revenue turnover of the organisations, if they are found to be non-compliant to GDPR guidelines.
Appreciating the fact that CRM systems hold the ‘customer personal data’ (Master data management) in most of the automotive organisations, therefore changes in CRM systems become evident to implement the GDPR. The scope of this article is to outline the changes required in CRM systems to implement the GDPR guidelines in the automotive industry. Before we embark on this journey, it is important to address following questions:
- What is the scope of GDPR in automotive OEM (original equipment manufacturer) context?
- What GDPR means for individuals and OEMs?
Scope of GDPR
This regulation applies to the processing of personal data (EU Citizens) wholly or partly by automated means or by manual filing system. The interpretation of personal data means the information by which a person can be identified directly or indirectly.
For instance, a name, an identification number or location data, or one or more factors if applied to distinguish an individual from the group is considered as a personal data record. Similarly, the processing of personal data refers to operation or operations performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording and structuring.
GDPR (out of scope): When the data processing is carried out in the course of activities related to national security, political co-operation as foreign policy, humanitarian aid, personal / household activities (social networking), police and criminal justice data protection.
What GDPR means for individuals
As per GDPR guidelines, each individual (EU resident) has been given certain data protection rights which they can exercise directly with OEMs (data controllers):
- (Right of access) The data subjects have the right to obtain details of personal data in a concise and easily accessible from the data controllers
- (Right to Rectification) The data subjects can rectify their inaccurate personal data by requesting the data controllers without any undue delay
- (Right to object) The data subject can always exercise their right to prevent the controllers from the further processing of personal data if there are no compelling legitimate grounds for continuing it.
- (Right to restriction of processing) Partial processing of the personal data based on data subject request
- (Right to be forgotten) erasure of personal data concerning the individuals without undue delay
- (Right to data portability) Transmission of data from one controller to another in electronic form (commonly used machine readable format)
- (Rights regarding automated decision-making) The data subject has the right; not to be subjected to a decision that is based only on an automated processing, including profiling
What GDPR means for OEMs (data controllers)
As per GDPR guidelines, OEMs need to ensure adherence to following principles in relation to managing personal data of individuals (existing customers or prospects):
- Lawful, fairness and transparency (Any information and communication concerning the processing of personal data for individuals must be easily accessible by them)
- Purpose limitation (data to be collected only for specified, explicit and legitimate purposes)
- Data minimisation (Personal data must be adequate, relevant and limited to what is necessary for business purpose)
- Data accuracy (To ensure that personal data are accurate and are kept up to date where it is necessary)
- Storage limitation (Personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing)
- Integrity and confidentiality (To protect the individual’s personal data against the unauthorised or unlawful processing, destruction and damage)
Changes required in the CRM system
The below figure 1 represents the list of CRM processes which require changes to implement the GDPR guidelines:
1. Customer data management:
Post GDPR enforcement, all automotive OEMs are expected to capture customer consents in a more granular manner to manage the marketing permissions. Earlier consent management practices were generic and incoherent for individuals to interpret. In current GDPR parlance, the following changes have been considered to manage the individual consents:
a) Generic consent needs to be categorised into different consent topics.
b) Individuals will be given options to provide the consent through multiple communication channels.
c) By default, customer consents for marketing permissions for each consent topic should be treated as ‘no consent given’ and individuals need to be contacted again (consent campaigns) for consents.
d) Channels of consent, date of consent received and form of the consent needs to be maintained in the CRM system.
The table below summarises the data attributes required to manage the consent:
Data anonymisation: To implement right to object capability, personal data needs to be anonymised in the CRM system. Anonymisation cannot be done for a record, where OEM has the obligation to keep the customer personal information of the individual (legal case, pending complaint etc.)
2. Lead management:
CRM systems typically holds leads from different sources (OEM generated leads; third party generated leads and leads generated by OEM dealers). For GDPR compliance the vendor consent matrix needs to be managed now in the CRM system to update or ignore the individual’s consents captured by third parties. In case third party vendor has generated lead on behalf of OEM, consent will be updated in the CRM system.
3. Campaign management:
During the customer segmentation process, all the individual records should be excluded from the target group where customer consent has not been given. Similarly, customers data profiling (loyalty score generation, predictive marketing, customer retention index, surveys) should be disabled, where customer consent is not given.
4. Case management:
The data subjects (individuals) can demand a report from OEMs to access their data. This is also referred to as a Data Subject Access Report (DSAR). As per the new process, a case needs to be created in the CRM system to generate the report with SLA of 28 days.
5. Non functional requirements:
a) CRM system environments: Development and testing environments should not hold actual customer personal data. All the data should be scrambled before execution of test scenarios. During data migration and cut over stage (Go-live stage), the entire real customer data should be deleted from the staging area.
b) Data access and control: There should be role based CRM access to the users. The privilege to download / export the customer data report should be given to super users only with valid business justification. Any amendment in customer record should be supported by audit trail.
c) Data cleansing: Periodic data cleansing activity should be performed in the CRM system to retain the customer data quality.
d) CRM incident management: Customer data should always be masked while communicating the ticket details with various stakeholders. Customer consent is mandatory (thru email) where any change is required to amend the customer data to resolve the CRM incident.
As the automotive industry is embracing Industry 4.0 vision, GDPR implementation should be seen as strategic intervention to support the future business growth rather than a mere compliance exercise.