A new initiative aimed at improving privacy protections in the used vehicle sector has been launched by the National Association of Motor Auctions (NAMA).
The Data Deletion and Privacy Protection Certificate was developed with input from auction operators, compliance specialists and technology providers.
It is designed to set standards around how personal data stored in vehicles is handled, covering areas including deletion procedures, auditability and reporting, operational workflows and governance aligned with UK GDPR.
Jonathan Butler, legal counsel at the Vehicle Remarketing Association (VRA) which is supporting thr initiative, said: “Legal analysis and regulatory expectations make clear organisations handling vehicles – including rental, leasing, fleet and remarketing businesses – become data controllers for personal data stored in a vehicle once it returns to their possession.
“Failing to delete this data before the vehicle is passed to another user may constitute unlawful processing and a personal data breach, potentially contravening several articles of UK GDPR.
“The new NAMA certificate provides the means for the automotive industry to take decisive action to protect consumer privacy as connected vehicle features continue to expand the volume of personal data stored in modern vehicles.”
VRA member Privacy4Cars has been named the first approved supplier under the initiative after its data-deletion platform was assessed against the scheme’s requirements.
The company said the process ensures personally identifiable information and other sensitive data is removed consistently and in a verifiable way before resale.
Philip Nothard, VRA chair, said: “As cars and vans incorporate more and more digital technology, the responsible management of the personal data stored in them is becoming an increasingly acute issue.
“From navigation histories and call logs to synced contacts and messages, modern vehicles routinely store sensitive information – and when those vehicles are returned, resold, or remarketed, that data frequently remains. For all of those reasons, this NAMA initiative is timely and welcome.”
The privacy risks were highlighted by Martin Wilson, VP partnerships for UK and EU at Privacy4Cars, who told a VRA conference in November that his team accessed a vehicle containing extensive personal information – including addresses, emails, contacts and navigation history. He said the “most shocking” discovery was that the driver was a military contractor, and the stored navigation data included classified sites.
Under UK GDPR, an organisation that determines the purposes and means of processing personal data becomes a data controller. The article states that when a rental, leasing, fleet or remarketing business regains possession of a vehicle, it assumes control over the personal data stored within it.
It warns that continuing to store or disclose that information without a lawful basis risks breaches of UK GDPR requirements around lawfulness, fairness and transparency, data minimisation, and security of processing, and that passing a vehicle to another user without erasing the data may amount to unlawful processing and a personal data breach.
The Information Commissioner’s Office (ICO) can impose significant penalties for UK GDPR breaches, with fines of up to £17.5 million or 4% of global annual turnover.