As privacy laws become a factor in daily business, dealers often ask, “How do I comply?” But asking that poses a risk. You might get the wrong answer and end up with a compliance program tailored to fit someone else's dealership.
One size does not fit all. The size, scope, and methods of your business affect how you should comply. That flexibility factor is explicitly acknowledged in the Gramm-Leach-Bliley Safeguards Rule issued by the Federal Trade Commission.
To drive toward compliance answers that make sense for your dealership, try replacing “how do I comply” with these three questions.
“What law do I have to follow and what does it say?”
Get to know the law itself. You can locate the privacy, safeguards, and telemarketing rules at www.ftc.gov. Don't be put off thinking it will be confusing legalese. Not only are the rules readable, the FTC offers straightforward business guidance on its Web site.
Be sure to factor in the rules you've created. Commitments you make in privacy notices and online privacy policies represent compliance obligations too.
“If my customers could see behind the scenes in my dealership, what privacy concerns would make them leave my showroom?”
Put yourself in the shoes of a car buyer making a big purchase. As you're turning over personal information such as address, social security number, and bank account data, what safeguards against identity theft would you expect in a dealership?
At a dealership running credit checks from a standalone, Internet-connected PC, you might expect a PC firewall, while another dealership could rely on security features built into its dealer management system environment.
One dealership might scan sensitive papers into a secure digital system. For another dealership, it might be reasonable to store those same documents in a file cabinet located in an “Authorized Personnel Only” area that is locked at the end of the day.
“Where's my compliance file?”
Only you can fulfill the critical step of documenting your questions, answers, and actions — complete with names, dates, and descriptions. Privacy is hard enough to see. Compliance is downright invisible if you don't document your efforts.
You'll always have questions.
But with targeted questions, you will be positioned to ask vendors and service providers for more than their commitments to confidentiality and safeguards. You can ask focused questions that lead to integrated compliance-support solutions.
For example, you might inquire about functionality that helps you incorporate do-not-call or Office of Foreign Assets Control (OFAC) alerts into your existing processes. You may discover untapped security features in your dealer management system that help limit employees' and third parties' access to sensitive customer data.
The right questions can help you leverage your existing investment, and that can translate into time and money saved.
Timing is everything. It's hard for your providers to offer compliance support you haven't yet asked for. If you want your questions to drive the development of technology or consulting offerings, ask them when the rules are announced, not when they're about to take effect.
Here's the big payoff.
A compliance program that makes sense for your dealership customers is also likely to make sense to the Federal Trade Commission, should they happen to ask.
Better yet, they won't have reason to.
Dave Stampley is Senior Corporate Counsel and Director of Privacy for The Reynolds and Reynolds Company. He previously led e-commerce privacy enforcement efforts for the New York State Attorney General.