Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
General Data Protection Regulation
• Data Mapping Workbook
Contents
• Introduction• Customer Consent• Data Capture Points• Examples of Data Maps
• Sales process• Service process
• Considerations for Data Mapping:• Sales Processes• Service Processes• General Business Processes• Bodyshop Processes• Parts Processes
Introduction
This document will guide you through the process of mapping out all of the data flows in a typical business.
The key points to consider when mapping data are:
• Who captures the data
• How is it captured (electronic or paper form)
• Is the appropriate consent requested
• Who stores the captured data & consent
• How is it stored (digitally or manually filed)
• How long it is it stored for
Return to Contents
Customer Consent
• To be compliant, forms, whether manual or electronic need to have Consent boxes whenever customer data is being collected such as the example below:
Return to Contents
Data Capture Points
• To map the data flows, all of the relevant data capture points where Customer Consent is requested along with where this information is stored, should be considered as in this example for a sales department:
Customer
Consent
DMSShowroom
SystemHard Copy
Manufacturer
Leads3rd Party Leads Telephone Leads
Showroom
Walk-InsOff Site Events
Additional Sales
(GAP, Paint
Protection, etc )
Insurance
ProductsFinance ProductsVehicle Order
Data Capture Points
Data Storage Points
Return to Contents
Example Data Map – Sales Process (Walk In)
Customer walks
into showroom to
buy a car
Sales Exec
captures customer
data on physical
form
Consent requested
Information added to
electronic showroom
system
Where/how long is
this physical
information stored?
System should mirror
consent information
captured
How does system
provider store
information
and for how long?
Finance applied for via
Finance system
System should mirror
consent information
captured
How does finance
provider store information
and for how long?
Additional Sales
added (GAP, Paint
Protection,
Warranty)
How does provider
store information and
for how long?
Is consent requested
again on Finance form?
Is consent requested
again on providers
registration form?
Vehicle ordered on
Manufacturer s
ordering system
Is consent required
again?
How does
manufacturer store
information and for
how long?
Customer
registered on
MyManufacturer
portal
Is consent
required again?
How does
manufacturer store
information and for
how long?
1. 2. 3. 4. 5. 6. 7. 8.
Information added
to DMS
System should
mirror consent
information
captured
How does system
provider store
information and for
how long?
• This then allows for a typical process to be mapped out, here we see an example of a customer buying a car after walking in to the showroom:
Return to Contents
Example Data Map – Service Process (Online Booking)
Customer makes
an online booking
for service
Online booking
form completed
Consent
requested
Information added
to electronic
booking system
Where/how long is
this information
stored?
System should
mirror consent
information
captured
How does system
provider store
information and for
how long?
Customer comes
in for service,
(jobcard created)
Jobcard should ask
consent permissions
Hand written job card
data/consent should
be replicated on DMS
VHC carried out
during service on
standalone
system
How does provider
store information and
for how long?
Is more data
requested again on
Job card?
Is data & consent
requested again on
VHC system?
Video taken of
fault on vehicle on
standalone
system
Is data & consent
requested again on
Video system?
How does provider
store information
and for how long?
Customer
registered on
MyManufacturer
portal
Is consent
required again?
How does
manufacturer store
information and for
how long?
1. 2. 3. 4. 5. 6. 7.
How is Job Card
Stored & for how long?
How is DMS data
stored for and for how
long?
• Another example shown here maps out a customer coming in for service following an online booking:
Return to Contents
Data Mapping Considerations
• The following pages break down each data point into the necessary considerations related to that point.
• This should help you to build Data Maps for every process in your business.
• You can track your progress by using the GDPR Data Mapping Tracker document supplied with this guide
Return to Contents
Considerations - Sales
Leads
• Vehicle selling platforms (Autotrader, carwow, etc…)
• Lead Management (Initial Enquiry)
• Video Selling Tools (CitNOW, Video1st, etc…)
• Sales Events (Dealer Organised)
• Sales Events (3rd Party Organised)
• Off-Site Events
Sales Process• Appraisal Form
• Showroom Management (Face to Face enquiry)
• Deal Stacking/Optimising (Quotations)
• Finance providers
• Vehicle Ordering
Additional Sales
• Extended Warranties (can be different provider to Service)
• Insurance products (Car, GaP)
• Protection Products (Paint Protection, etc…)
Contact Cycle Management
• CRM/Prospecting tools
• Equity Mining Tools
Return to Contents
Considerations - Service
Bookings
• DMS Based
• 3rd Party Booking systems (RTC, etc…)
• Fleet Vehicle Platforms (1Link, Motability)
• Online Booking Portal (Dealer/Manufacturer)
• Courtesy Car booking (if standalone)
Service Process• DMS (Job card)
• Vehicle Health Check (Manual)
• Vehicle Health Check (Electronic)
• Video Selling Tools (CitNOW, Video1st)
• Courtesy Car Agreement/Insurance
Additional Sales
• Service plans
• Insurance products (MOT Insurance, Tyre Insurance,
etc…)
• Extended Warranties (can be different provider to
Sales)
Maintenance Scheduling• CRM (Service/MOT reminders)
• VHC Follow Up
Return to Contents
Considerations - General/Bodyshop/Parts
General
• Manufacturer Leads• Website forms• Live-chat• Dealer App• ‘MyManufacturer’ portals • Customer Satisfaction Management
tool• System failure manual forms
Bodyshop
• Bodyshop estimating tools – Audatex
• Insurance claiming portals (body repairs)
Parts
• Parts ordering
• Online selling platforms (ecommerce portals)
Return to Contents
Sales
• Leads
Vehicle Selling Platforms (Auto Trader, CarWow)
Third Party Collects the Data
Data Flow
Are they GDPR Compliant? (How is consent asked, how do they
store data & how long for)
Consideration
Data Passed to Dealer Where do you store it?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (How is data/consent
stored and for how long)
Return to Menu
Lead Management (Initial Enquiry)
Lead Information Captured
Data Flow
If third party has collected, are they GDPR compliant? (How is consent
asked, how do they store data & how long for)
If internal capture, are your forms GDPR compliant? (How is
data/consent stored and for how long)
Consideration
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (How is
data/consent stored and for how long)
Return to Menu
Video Selling Tools (CitNOW, Video1st, etc…)
Dealer inputs customer information into tool
Data Flow
Is the 3rd party tool’s form GDPR Compliant? (How is
consent asked)
Consideration
Customer information stored by 3rd party
Is the 3rd party tool’s storage GDPR compliant? (how do they
store data & how long for)
Return to Menu
Sales Events (Dealer Organised)
Dealer extracts list of customers to contact for invitations from
database
Data Flow
Does the relevant database specifically show customer’s
agreement to be contacted by the relevant means?
Consideration
Dealer sends invitations out to customers using only consented
to methods
Is additional information requested on the invite?
Does it ask the proper consent?
Return to Menu
Invitations received back from customers
How is any new information stored and for how long?
Sales Events (3rd Party Organised)
Dealer extracts list of customers to contact for invitations from
database
Data Flow
Does the relevant database specifically show customer’s
agreement to be contacted by the relevant means?
Consideration
Dealer supplies information to 3rd party event management company to send out invites
Is the 3rd parties storage GDPR compliant? (Do they replicate consent options, how do they store data and for how long)
Return to Menu
Invitations received back from customers
How is any new information stored and for how long?
Off-Site Events
Dealer uses paper or electronic forms to collect new customer
information off site
Data Flow
Are the forms being used GDPR compliant? (Consent asked, what
happens to the forms afterwards)
Consideration
Post event, the dealer inputs the gathered data onto the
relevant internal system
Is the internal system GDPR compliant? (How is data/consent
stored and for how long)
Return to Menu
Sales
• Sales Process
Appraisal Form
Dealer uses paper or electronic forms to collect new customer
information
Data Flow
Are the forms being used GDPR compliant? (Is consent asked for, how is the form stored and for
how long)
Consideration
The dealer inputs the gathered data onto the relevant internal
system
Is your Internal System GDPR Compliant? (How is data/consent
stored and for how long)
Paper appraisal forms may be kept with the deal file
Is the storage GDPR compliant? (Is it stored securely and how long
for)
Return to Menu
Showroom Management (Face to Face enquiry)
Dealer uses paper or electronic forms to collect new customer
information
Data Flow
Are the forms being used GDPR compliant? (Is consent asked for, how is the form stored and for
how long)
Consideration
The dealer inputs the gathered data onto the relevant internal
system
Is your Internal System GDPR Compliant? (How is data/consent
stored and for how long)
Return to Menu
Deal Stacking/Optimising (Quotations)
Dealer uses paper or electronic forms to collect new customer
information
Data Flow
Are the forms being used GDPR compliant? (Is consent asked for, how is the form stored and for
how long)
Consideration
The dealer inputs the gathered data onto the relevant internal
system
Is your Internal System GDPR Compliant? (How is data/consent
stored and for how long)
Return to Menu
Finance providers
Dealer inputs customer information onto finance system
when applying for finance
Data Flow
Is the finance provider GDPR compliant? (Is consent asked,
how is data stored and for how long)
Consideration
Finance documentation produced to complete finance
Is the finance documentation GDPR compliant? (Is consent
asked)
Finance documentation stored with deal file
Is the storage of the financial documentation GDPR
compliant? (Is it secure and how long is it stored for)
Return to Menu
Dealer completes either a manual or electronic order form
to order a vehicle
Is the order form GDPR compliant? (Is consent asked, how
is data stored and for how long)
Vehicle is ordered via Manufacturer portal
Is the ordering portal GDPR compliant? (Is consent asked, how
is data stored and for how long)
Vehicle Ordering
Data Flow Consideration
Order form is then stored with the deal file
Is the storage of the physical order form GDPR compliant? (Is it secure
and how long is it stored for)
Return to Menu
Sales
• Additional Sales
Dealer registers warranty by supplying customer information
to warranty provider
Is the warranty provider’s form & data storage GDPR
compliant? (Is consent asked, how do they store the data)
A copy of the warranty documentation kept with the
deal file
Is the storage of the warranty documentation GDPR
compliant? (Is secure and how long is it stored for)
Extended Warranties (Sales)
Data Flow Consideration
Return to Menu
Dealer registers Insurance by supplying customer information
to insurance provider
Is the Insurance provider’s form & data storage GDPR
compliant? (Is consent asked, how do they store the data)
A copy of the Insurance documentation kept with the
deal file
Is the storage of the Insurance documentation GDPR
compliant? (Is secure and how long is it stored for)
Insurance products (Car, GaP)
Data Flow Consideration
Return to Menu
Dealer registers product by supplying customer information
to product provider
Is the product provider’s form & data storage GDPR
compliant? (Is consent asked, how do they store the data)
A copy of the product documentation kept with the
deal file
Is the storage of the product documentation GDPR
compliant? (Is secure and how long is it stored for)
Protection Products (Paint Protection, etc…)
Data Flow Consideration
Return to Menu
Sales
• Contact Cycle Management
Equity Mining Tools
Dealer builds campaigns using Equity Mining tool
Data Flow
Does the tool account for customer’s agreement to be
contacted by the relevant means?
Consideration
Outbound activity begins to make contact with prospective
customers
Are outbound operators aware of the GDPR regulations?
Return to Menu
Service
• Bookings
DMS Based Bookings
Booking Information Captured
Data Flow
If third party booking provider has collected, are they GDPR compliant? (How is consent asked, how do they
store data & how long for)
If using paper forms to capture data, are they GDPR compliant? (How is
data/consent stored and for how long)
Consideration
Booking made in DMS System at Dealer
Is your DMS System GDPR Compliant? (How does it store Consent options, how long for)
Return to Menu
3rd Party Booking systems (RTC, etc…)
Booking Information Captured
Data Flow
If third party booking provider has collected, are they GDPR compliant? (How is consent asked, how do they
store data & how long for)
If using paper forms to capture data, are they GDPR compliant? (How is
data/consent stored and for how long)
Consideration
Booking made in 3rd Party Booking System at Dealer
Is your 3rd Party Booking System GDPR Compliant? (How does it store Consent options,
how long for)
Return to Menu
Fleet Vehicle Platforms (1Link, Motability)
Booking Information Captured by Fleet Provider
Data Flow
Is the Fleet Provider GDPR compliant? (How is consent
asked, how do they store data & how long for)
Consideration
Booking made in Booking System at Dealer
Is your Booking System GDPR Compliant? (How does it store Consent options, how long for)
Return to Menu
Online Booking Portal (Dealer/Manufacturer)
Booking Information Captured by Online Booking Provider
Data Flow
Is the Online Booking Provider GDPR compliant? (How is
consent asked, how do they store data & how long for)
Consideration
Booking made in Booking System at Dealer
Is your Booking System GDPR Compliant? (How does it store Consent options, how long for)
Return to Menu
Courtesy Car booking (if standalone)
Courtesy Car Booking Information Captured
Data Flow
If third party booking provider has collected, are they GDPR compliant? (How is consent asked, how do they
store data & how long for)
If using paper forms to capture data, are they GDPR compliant? (How is
data/consent stored and for how long)
Consideration
Booking made in Courtesy Car Booking System at Dealer
Is your Courtesy Car Booking System GDPR Compliant? (How does it store Consent options,
how long for)
Return to Menu
Service
• Service Process
DMS (Job card)
Job card created for use with the customer, data captured on
job card
Data Flow
Is the printed Job Card GDPR compliant for Data Capture
Purposes? (Is consent asked)
Consideration
Data transferred to DMSIs the DMS GDPR compliant for Data Capture Purposes? (Are consent options replicated)
Job Card ArchivedIs the storage GDPR Compliant?
(Is it stored securely and for how long)
Return to Menu
Vehicle Health Check (Manual)
Dealer uses paper forms to carry out VHC
Data Flow
Are the forms being used GDPR compliant? (Is consent asked)
Consideration
The dealer may input the gathered data onto the relevant
internal systems
Are the internal systems GDPR compliant? (Are consent
options mirrored, how is the info stored and for how long)
Paper VCH forms may be kept with the job card
Is the job card storage GDPR compliant? (How is it stored
and for how long)
Return to Menu
Vehicle Health Check (Electronic)
Dealer inputs customer information into VHC tool
Data Flow
Is the VHC tool’s form GDPR Compliant? (How is consent
asked)
Consideration
Customer information stored by VHC tool
Is the VHC tool’s storage GDPR compliant? (How do they store
data & how long for)
Return to Menu
Video Selling Tools (CitNOW, Video1st, etc…)
Dealer inputs customer information into tool
Data Flow
Is the 3rd party tool’s form GDPR Compliant? (How is consent
asked)
Consideration
Customer information stored by 3rd party
Is the 3rd party tool’s storage GDPR compliant? (How do they
store data & how long for)
Return to Menu
Courtesy Car Agreement/Insurance
Dealer uses manual or electronic forms to setup
agreement/insurance cover
Data Flow
Are the forms being used GDPR compliant? (How is consent
asked)
Consideration
The dealer may input the gathered data onto relevant
internal systems
Are the internal systems GDPR compliant? (Are consent
options mirrored, where is data stored and for how long)
Physical agreement forms may be filed for later use
Is the form storage GDPR compliant? (Where is data stored and for how long)
Return to Menu
Service
• Additional Sales
Dealer registers Service Plan by supplying customer information
to insurance provider
Is the Service Plan provider’s form & data storage GDPR compliant? (Is consent asked, how do they store data and for how long)
A copy of the Service Plan documentation kept with the
deal file or job card
Is the storage of the Service Plan documentation GDPR
compliant? (Where is it stored and for how long)
Service plans
Data Flow Consideration
Return to Menu
Dealer registers Insurance by supplying customer information
to insurance provider
Is the Insurance provider’s form & data storage GDPR compliant? (Is consent asked, how do they store data and for how long)
A copy of the Insurance documentation kept with the
job card
Is the storage of the Insurance documentation GDPR
compliant? (Where is it stored and for how long)
Insurance products (MOT Insurance, Tyre Insurance)
Data Flow Consideration
Return to Menu
Dealer registers warranty by supplying customer information
to warranty provider
Is the warranty provider’s form & data storage GDPR compliant? (Is consent asked, how do they store
data and for how long)
A copy of the warranty documentation kept with the
job card
Is the storage of the warranty documentation GDPR
compliant? (Where is it stored and for how long)
Extended Warranties (Service)
Data Flow Consideration
Return to Menu
Service
• Maintenance Scheduling
CRM (Service/MOT reminders)
Dealer builds campaigns using CRM prospecting tool
Data Flow
Does the tool account for customer’s agreement to be
contacted by the relevant means?
Consideration
Outbound activity begins to make contact with prospective
customers
Are outbound operators aware of the GDPR regulations?
Return to Menu
VHC Follow Up
Dealer builds campaigns using VHC Follow Up tool
Data Flow
Does the tool account for customer’s agreement to be
contacted by the relevant means?
Consideration
Outbound activity begins to make contact with prospective
customers
Are outbound operators aware of the GDPR regulations?
Return to Menu
General/Bodyshop/Parts
• General
Manufacturer Leads
Manufacturer Collects the Data via a form
Data Flow
Is the form GDPR Compliant? (Is consent asked, how do they store data and for how long)
Consideration
Data Passed to Dealer via Lead Portal
How do you store it securely & for how long?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (Does it mirror
consent options, how does it store data and for how long)
Return to Menu
Website forms
Website Provider Collects the Data via an online form
Data Flow
Is the form GDPR Compliant? (Is consent asked, how do they store data and for how long)
Consideration
Data Passed to DealerHow do you store it securely &
for how long?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (Does it mirror
consent options, how does it store data and for how long)
Return to Menu
Live-chat
Live-Chat Provider Collects the Data
Data Flow
Are they GDPR Compliant? (Is consent asked, how do they store data and for how long)
Consideration
Data Passed to DealerHow do you store it securely &
for how long?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (Does it mirror
consent options, how does it store data and for how long)
Return to Menu
Dealer App
Dealer AppProvider Collects the Data
Data Flow
Are they GDPR Compliant? (Is consent asked, how do they store data and for how long)
Consideration
Data Passed to DealerHow do you store it securely &
for how long?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (Does it mirror
consent options, how does it store data and for how long)
Return to Menu
‘MyManufacturer’ portals
Manufacturer Portal Collects the Data
Data Flow
Are they GDPR Compliant? (Is consent asked, how do they store data and for how long)
Consideration
Data Passed to DealerHow do you store it securely &
for how long?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (Does it mirror
consent options, how does it store data and for how long)
Return to Menu
Customer Satisfaction Management tool
Customer Satisfaction Portal Collects the Data
Data Flow
Are they GDPR Compliant? (Is consent asked, how do they store data and for how long)
Consideration
Data Passed to DealerHow do you store it securely &
for how long?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (Does it mirror
consent options, how does it store data and for how long)
Return to Menu
System failure manual forms
System fails (e.g. DMS) so manual forms are used
temporarily to capture data
Data Flow
Are the forms GDPR compliant? (Is consent asked)
Consideration
Data Transferred to relevant system once back up and
running
Manual form destroyed responsibly (Shredded)?
Return to Menu
General/Bodyshop/Parts
• Bodyshop
Bodyshop estimating tools – (Audatex, etc…)
Dealer inputs customer information into tool
Data Flow
Is the 3rd party tool’s form GDPR Compliant? (Are consent
options mirrored)
Consideration
Customer information stored by 3rd party
Is the 3rd party tool’s storage GDPR compliant? (How is data
stored and for how long)
Dealer completes manual paper estimate capturing customer
data
Is the form GDPR Compliant (Is consent asked)
Return to Menu
Insurance claiming portals (body repairs)
Dealer inputs customer information into tool
Data Flow
Is the 3rd party tool’s form GDPR Compliant? (Are consent
options mirrored)
Consideration
Customer information stored by 3rd party
Is the 3rd party tool’s storage GDPR compliant? (How is data
stored and for how long)
Return to Menu
General/Bodyshop/Parts
• Parts
Dealer completes either a manual or electronic order form
to order a part
Is the order form GDPR compliant? (Is consent asked, how
is data stored and for how long)
Part is ordered via relevant portal
Is the ordering portal GDPR compliant? (Are consent options mirrored, how is data stored and
for how long)
Parts Ordering
Data Flow Consideration
Order form is then stored until not required
Is the storage AND disposal of the order form GDPR compliant? (Is storage secure and how long is it
kept)
Return to Menu
Online selling platforms (ecommerce portals)
Third Party Collects the Data
Data Flow
Are they GDPR Compliant? (How is consent asked, how do they store data & how long for)
Consideration
Data Passed to Dealer Where do you store it?
Data Transferred to Internal System at Dealer
Is your Internal System GDPR Compliant? (How is
data/consent stored and for how long)
Return to Menu