Automotive dealerships and the AI Revolution? Key data protection questions you need to ask yourself before diving in.
The emergence of ChatGPT has sparked widespread commentaries and debate about the opportunities and challenges that Artificial Intelligence (“AI”) presents for car dealerships.
Luke Dixon, Data Protection, e-Privacy and Cyber partner at Freeths is keen to provide some clarity on the opportunities and risks that lay ahead.
AI provides auto dealerships with exciting solutions to enhance their business and customer experience, including:
• Better customer engagement and relationship management.
• Personalised marketing to customers.
• Smarter cross-selling/up-selling.
• Operational optimisation.
Key questions
This all sounds great, but what about the challenges, particularly where UK GDPR is concerned? As part of its drive to educate UK businesses about their data protection responsibilities (and how to meet them), the UK data regulator (the “ICO”) has published comprehensive guidance.
Luke has summarised their key questions to make clear what developers and users of AI should ask themselves before deploying or developing the technology:
• What is your lawful basis for processing personal data? A developer or user will need to identify a lawful basis for processing personal data with AI. This might be (for example) consent or legitimate interests. You will need an extra condition where you process special category data.
• Are you a controller, joint controller or a processor? You will need to identify which of these you are, to understand your compliance obligations. Identifying your role might be difficult. The ICO anticipates that a developer will be a controller, but that a user of AI might be a controller, joint controller or a processor.
• Have you prepared a Data Protection Impact Assessment (“DPIA”)? You will need to assess and mitigate any impacts on privacy rights by conducting a DPIA. You should do this prior to your processing using AI. This will help you comply with your data protection obligations.
• How will you ensure transparency? You will need to make available privacy notices to individuals that cover the AI processing, unless an exemption applies.
• How will you mitigate security risks? You should consider a range of security risks, from common risks such as leakage of information to “data poisoning”.
• How will you limit unnecessary processing? You should limit your processing of personal data using AI to that which is necessary for your purposes.
• How will you comply with individual rights requests? Individuals have various rights under UK/EU GDPR, from accessing their data to requesting its correction or erasure. How will your AI processing deal with these requests?
• Will you use generative AI to make solely automated decisions? If so, and those decisions have legal or similarly significant effects on the relevant individuals, the affected individuals will have additional rights under UK/EU GDPR.
Next steps
Before you develop or use AI, as a minimum you should ask yourself these eight questions. You may also benefit from the further helpful ICO guidance and resources on this topic.
We recommend that auto dealerships take data protection compliance into account from the outset when embarking on processing data using AI, taking specialist legal advice where appropriate. In doing so, they will be best placed to exploit the exciting benefits of this technology, whilst mitigating the compliance challenges it might pose.
Free webinar for automotive retailers
To learn more about the topic, Luke will be hosting a free webinar; Wednesday 22nd May, covering the practical considerations in more detail. Please register here.
Partner – Data Protection, e-Privacy and Cyber