Skip to main content

GDPR 

We've compiled a list of FAQs relating to GDPR.

GDPR

You’ve probably heard a lot about GDPR in the news, the trade press, and from your suppliers. Here at Close Brothers Motor Finance, we’re keen to let you know what it means for you, your relationship with us, and our relationship with our customers.

General Data Protection Regulation (or GDPR for short) is a piece of EU regulation that came into force on the 25 May 2018 which intends to bring data protection regulation up to date. Since the launch of the Data Protection Act, the technology landscape has changed dramatically and data is being used now in many more ways than it has been previously.

Below you will find a list of frequently asked questions on GDPR and the changes you will notice from us.

From 25 August 2018, you will only be able to see proposals placed with us in the past 90 days.

We believe that 90 days is a long enough period for you to complete your transaction with the customer, and after that, there should be no reason for you to be able to access customer data and put yourself at risk of breaching the GDPR. The GDPR is very clear that you must 'carefully consider and justify how long you keep personal data' - we are fulfiling that obligation by clearing data that is more than 90 days old.

The changes will happen in the back end of the Showroom system. You will not need to make any changes to your account or processes.

We’ve also made changes to our privacy notice, so you might notice the wording change on the privacy notice screen that you ask customers to read through. This is the short form version, and the long form version can still be found on our website, there’s a link to it right at the bottom of each page.

If arranging an application over the phone, or a customer is making a remote purchase, then you need to explain the key points from our privacy notice to the customer. The key points are the purposes for which Close Brothers Motor Finance will use the customers data, and how our credit reference agency will use the customers data.

CRAIN stands for Credit Reference Agency Information Notice. It is the joint privacy notice for the credit reference agencies (Experian, Call Credit etc.). It’s something that we need to make the customer aware of and advise them on how they can access it. We’ve got the URL in our privacy notices (as above), and you should make sure the customers are aware of their right to access this.

We’re making some changes to how our customers consent to us using their data. Both on eClick, and on the manual proposal forms, customers are now presented with two tick boxes to opt out of receiving marketing material from us, and to opt in to us sharing their data with our third-party partners.

Yes. From the 25 May, we will no longer accept applications on the old proposal form, containing our old privacy notice. We will only accept proposals on the new Close Brothers Motor Finance proposal form, and not on any other type of form, be this for another finance provider, or a dealership specific one.


Please destroy any of the old Close Brothers Motor Finance proposal forms you may still have in stock, and make sure you order your new forms in plenty of time for 25 May. Speak to your Account Manager to order the new forms.

Under GDPR, you cannot retain personal data for any longer than is necessary, so if you do want to hold on to it, you need to have a legitimate reason for doing so. If for example, a customer buys a vehicle from you, together with a service plan, then you may have a legitimate reason to keep their data for the period covered by their service plan as they will be returning to you on a regular basis for their services. However, if a customer fills in a web enquiry form, but doesn’t visit the dealership or convert into a sale, you should consider deleting this data as soon as possible.

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Data controllers are responsible for ensuring that personal data are kept secure, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees). You should think about who has access to your systems and paper files, and put controls in place where necessary to ensure that only individuals who have a need to access the data can do so. You should not allow people from outside of your organisation to have access to any personal information that you hold. If there is a lawful basis to share personal data with a third party you should ensure you have a contract in place with them with appropriate data protection provisions, and ensure the customer has been made aware of and, if consent is required, agreed to their data being shared in such a way.

It's important that you and your team understand what the GDPR is. Training is one of the first things that the ICO might ask about if they were to investigate your business, so make sure you keep a record of any training you provide to your team.

Yes – provided you have a lawful basis according to the GDPR. You can find more information about lawful bases here;
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

The ICO also has a helpful page on marketing which we strongly recommend that you look at if you are considering marketing: 
https://ico.org.uk/for-organisations/marketing/  

One change you need to be aware of is that from 25 May you will no longer be able to use data from our systems (Showroom/Ask Close) to market to your customers.

Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the GDPR. The most common way to provide information about how you will use a customer’s personal data is in the form of a privacy notice. Most companies already have a privacy notice, but there may be some changes required to it under GDPR as the GDPR is more specific about the information you need to provide to people about what you do with their personal data. 


You should ensure that your customers have chance to read or hear your privacy notice before they give you any of their personal data. This applies both to customers in the dealership, and for any distance selling activities. 
If you don't have a privacy notice already, then you should create one. It should be easy for the customer to understand, and explain what you do with their data and why. We recommend you consider  the ICO guidance on what you should include in your privacy notice as a minimum. 

In order for processing to be fair, the data controller (Close Brothers Motor Finance and our dealer partners) must make certain information available to the data subjects (customers). That information is:

  • Who the data controller is;
  • The purpose or purposes for which the information will be processed; 
  • The data retention period;
  • Who the data is shared with; and
  • Any further information which is necessary for the specific circumstances to enable the processing to be fair.

This applies whether the personal data was obtained directly from the customer, or from other sources.
Information you provide to people about how you process their data must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language; and
  • Free of charge.

You should think about the intended audience for your privacy notice and put yourself in their position. 

GDPR affects any organisation which holds or processes personal data. It also gives new rights to customers and gives them more control over their personal information. We as a finance provider, and you as our dealer partner both have responsibilities to ensure we are doing the right thing for our customers and there are certain changes we must make.

GDPR covers information that is classed as Personally Identifiable Information (PII) – so this includes names, addresses and bank details – things such as your company turnover or sales receipts are not covered by GDPR. 

GDPR will replace the Data Protection Act 1988. They both share the same underlying principles about customer data and treating it responsibly, but there are key differences you need to take note of. To understand the key provisions of GDPR, we suggest you visit the ICO website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

PII is 'Personally Identifiable Information'. As described in the regulation, it is 'any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data or online identifier.' This means that PII is anything like customer name, address, email address, vehicle registration, credit card number, VIN/VRN etc. It's any piece of information that exclusively or when used in conjunction with other information, could allow you to identify a unique individual.

All PII is covered by GDPR and you must have a valid lawful basis in order to process PII. You should look at the PII you hold and determine your lawful basis for processing that PII before you begin processing. You should also document the lawful basis for that processing. You should consult the ICO website to understand what lawful basis, if any, will apply to your processing of PII.

 

For further information on ICO registration and to understand if you should be registered, you can visit their website - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/guide-to-the-data-protection-fee/

The changes come into effect on 25 May 2018. 

As always, our Account Managers will be the first port of call for supporting you through this change, alongside our operations teams in your local branch. We will be providing you with information (like these FAQs) over the coming weeks. 

Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law. It’s been confirmed by the UK Government that the GDPR will remain UK law after Brexit.

The best place to start is the Information Commissioner’s Office (ICO) website. They have produced a guide to the 12 things you need to think about right now, and a ‘Getting Ready for GDPR’ checklist, along with plenty of background information about the new regulation.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

These changes come into effect on 25 May 2018; you might notice that our agreements and consent statements will change just before this date. We’ll also be making some small changes to the application process for customers to ensure we capture the correct consents from them to allow us to process their data and keep in touch with them in future.

We've put together our top five tips for GDPR compliance which you can view or download here.

If you need more information about GDPR, and what it means for your relationship with Close Brothers Motor Finance, please contact your Account Manager.
 

Legal Disclaimer

The information on this page is for general information purposes only. The information is provided by Close Brothers Motor Finance, and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability or availability. 

Any reliance you place on such information is therefore strictly at your own risk. You should seek independent legal advice if you are in any doubt as to your own legal obligations.

In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this content. 

You should not copy, share or reproduce this content. Close Brothers Limited does not accept any responsibility to any unconnected third party in the event that its contents are reproduced or relied upon as legal advice in any way.