Data Protection – penalties

We live in a digital age – and never more so than when we have a business to run.

As with just about every other business, motor dealerships are likely to maintain extensive electronic records containing personal details of their employees and customers. More than many other industries, however, the motor trade also needs to keep its suppliers, the motor manufacturers, updated with much of this information, which is used primarily for marketing purposes.

Data protection

The way in which that data is used and stored, however, is subject to legal controls.

These are soon to be complicated by parallel controls at both national and EU level:

  •  the UK’s Data Protection Act has been in force since 1998 and imposes a strict set of so-called “data protection principles” on any business which keeps personal records – electronic or otherwise – and the way in which that data may be used or passed on to other parties; and
  • with effect from the 25th of May 2018 a new raft of European-wide data protection measures is introduced by new General Data Protection Regulations (GDPR) – a legal framework introduced by the EU whose application in the UK is not affected by Brexit, the government has confirmed.

The GDPR generally reflects the definitions and regulations on data protection already covered in the Data Protection Act, although the former places greater emphasis on the principle of consent by data subjects to the ways in which their personal information may be used – the consent must be consciously given and those keeping the data cannot rely on a subject’s silence, taking no action or using pre-ticked boxes.


It is with respect to the penalties imposed for breaches of the new GDPR, however, that the most dramatic departure from the existing Data Protection Act emerges.

Currently the maximum fine any business may face is a substantial £500,000.

For breaches of the GDPR, however, the UK’s Information Commissioner’s Office (ICO) has the authority to impose fines of up to €20 million (approximately some £17.5 million) or the equivalent of up to 4% of the value of the company’s worldwide sales.

It remains to be seen just how the provisions contained in the GDPR will be interpreted and applied, but the larger fines are expected to be imposed on companies responsible for the loss of customers’ data.

Insurance for Motor Traders

With such changes afoot, it becomes more important than ever that dealers have adequate motor trade insurance cover to safeguard themselves against claims of this potential order.

Any fine imposed by the ICO, for example, is likely to add fuel to customers claiming damages arising from the misuse or loss of their personal data. Such claims are likely to be made under the public liability cover typically included in the average motor trade business insurance package.

Where once you might have considered £1 million liability insurance adequate protection against claims made under the Data Protection Act and its maximum £500,000 fine, for example, the stakes and the risks are considerable increased if fines of £17.5 million are possible.

As a motor trade insurance brokers, Road Runner could help find the security and reassurance you need, so we look forward to hearing from you – get in touch with us today.