A brand new initiative geared toward improving privacy protections within the used vehicle sector has been launched by the National Association of Motor Auctions (NAMA).
The Data Deletion and Privacy Protection Certificate was developed with input from auction operators, compliance specialists and technology providers.
It’s designed to set standards around how personal data stored in vehicles is handled, covering areas including deletion procedures, auditability and reporting, operational workflows and governance aligned with UK GDPR.
Jonathan Butler, legal counsel on the Vehicle Remarketing Association (VRA) which is supporting thr initiative, said: “Legal evaluation and regulatory expectations clarify organisations handling vehicles – including rental, leasing, fleet and remarketing businesses – grow to be data controllers for private data stored in a vehicle once it returns to their possession.
“Failing to delete this data before the vehicle is passed to a different user may constitute illegal processing and a private data breach, potentially contravening several articles of UK GDPR.
“The brand new NAMA certificate provides the means for the automotive industry to take decisive motion to guard consumer privacy as connected vehicle features proceed to expand the amount of private data stored in modern vehicles.”
VRA member Privacy4Cars has been named the primary approved supplier under the initiative after its data-deletion platform was assessed against the scheme’s requirements.
The corporate said the method ensures personally identifiable information and other sensitive data is removed consistently and in a verifiable way before resale.
Philip Nothard, VRA chair, said: “As cars and vans incorporate increasingly digital technology, the responsible management of the non-public data stored in them is becoming an increasingly acute issue.
“From navigation histories and call logs to synced contacts and messages, modern vehicles routinely store sensitive information – and when those vehicles are returned, resold, or remarketed, that data regularly stays. For all of those reasons, this NAMA initiative is timely and welcome.”
The privacy risks were highlighted by Martin Wilson, VP partnerships for UK and EU at Privacy4Cars, who told a VRA conference in November that his team accessed a vehicle containing extensive personal information – including addresses, emails, contacts and navigation history. He said the “most shocking” discovery was that the motive force was a military contractor, and the stored navigation data included classified sites.
Under UK GDPR, an organisation that determines the needs and technique of processing personal data becomes an information controller. The article states that when a rental, leasing, fleet or remarketing business regains possession of a vehicle, it assumes control over the non-public data stored inside it.
It warns that continuing to store or disclose that information with out a lawful basis risks breaches of UK GDPR requirements around lawfulness, fairness and transparency, data minimisation, and security of processing, and that passing a vehicle to a different user without erasing the information may amount to illegal processing and a private data breach.
The Information Commissioner’s Office (ICO) can impose significant penalties for UK GDPR breaches, with fines of as much as £17.5 million or 4% of worldwide annual turnover.
This Article First Appeared At www.am-online.com
