1. Home
  2. Insights and Resources
  3. Blog Post
  4. Follow the Data: Mapping the Compliance and GDPR Implications for Connected Vehicles

Follow the Data: Mapping the Compliance and GDPR Implications for Connected Vehicles

automotive-data-securityJust over two years after the General Data Protection Regulation (GDPR) came into effect in the EU, we can observe that the flow of connected car data, in its different states, anonymised and non-anonymised, has stretched the regulation to the limit in regard to the use of data in the car ecosystem.

The industry body Insurance Europe recently said that the European Data Protection Board (EDPB) move towards regulating the flow of data to and from connected vehicles still requires many clarifications. It said that regulators still need to be more flexible in their approach to how telematics insurance products – and other connected car products – have to function.

On the side of the automotive OEMs, the European Automobile Manufacturers’ Association (ACEA) published its checklist of rules and recommendations for regulating vehicle autonomy.

Today we are seeing alternative process flows emerging, There is the rise of the in-house insurance solutions of the automotive OEMS on the one hand, such as Mercedes-Benz Bank with Inscore and insurance partner ADI, Insure My Tesla, Ford with Metromile, and many others, and the subscription vehicle programmes. Then there are traditional insurer-to-consumer or broker-to-consumer process flows on the other hand.

The GDPR standards for data sharing are paramount for all parties and they include: being transparent, giving customers choice, taking data protection into account at all times, maintaining data security, applying the principle of privacy by design, and processing personal data in a proportionate manner to the usage.

Decentralised and complex data proposition

The bottom line is that personal data only gets shared with third parties from a connected vehicle – for the purpose of delivering telematics insurance or any other product – on the basis of a contract with the customer or vehicle owner, with the prior consent of the customer, or to comply with legal obligations, on the basis of legitimate interest.

Overall, the insurance data ecosystem is becoming more decentralised and more complex, especially if we bring into the equation the rise of car sharing and car pooling, with some identity and verification challenges, alternatively a B2C relationship or a B2B relationship for the insurer and risk carrier.

Increased vehicle complexity of newer vehicles is leading to higher repair costs, and therefore higher average claims costs for insurance overall, but also lower average claims frequency. This is a mega-trend that is being accelerated with the rise of electric vehicles and EV batteries where costly repairs (up to $15,000 battery cost alone for high-end 100 kWh capacity EVs) can be incurred even in the case of minor accidents.

The trend for automotive OEMs to underwrite risk directly by setting up their own in-house insurer or broker arm is still small scale but rising. In this business model the car maker takes control of the insurance and repair process, with cover typically paid as part of monthly lease payments. The traditional insurers meanwhile are increasingly digitized and they are sharpening their own pricing and customer engagement programmes to stay competitive.

Many participants converging on the connected vehicle ecosystem

In summary many different parties, including the Silicon Valley tech giants, car manufacturers, auto-parts producers, startups, computer engineers, lawyers, data scientists, insurance providers and the regulators themselves, are all converging on this common territory: how to keep connected vehicles operating securely and within the law, and within the boundaries of consumer consent.

After all, the petabytes data coming out of connected vehicles, now and in the future, provide a rich source of opportunities and benefits for automotive OEMs, the insurance industry and vehicle owners. At LexisNexis Risk Solutions we are working at the heart of this multi-faceted conversation, bringing both automotive expertise and insurance expertise, having faced such mega-scale data enterprise challenges for over 30 years.

In summary, GDPR establishes that:

  • Data cannot be collected or processed without the subject’s knowledge and consent
  • Data can only be used for the purpose on which the subject has been informed
  • Only data strictly necessary for those purposes can be processed, and only during the precisely required time
  • And, the data must be accurate and up-to-date and must be treated in a secure and confidential manner.

So GDPR offers almost all the answers to the legitimate use of data, but the technology – and the types of use cases, with federation of data consent and the use of e-certificates – are all moving ahead so quickly that the regulation also raises some questions.

All parties are moving ahead on the basis of clear use cases, one by one, so that principles of data consent and legitimate use of data are performed to the satisfaction of everyone: automotive OEMs, insurance providers, intermediaries, regulators, and of course the customers themselves.

We at LexisNexis® have been supporting a series of workshops, both internally and externally in the US and around Europe, as well as data retrospective studies, to enable these conversations to happen based on the real business data of the recent past.

Our Connected Car team and our product teams around the world have been laying the groundwork for some time, mining data value from vehicle technology, benchmarking Advanced Driver Assistance Systems (ADAS), building on our experience with data normalisation, anonymisation and data protection. LexisNexis Risk Solutions is also participating in the SmashHit consortium being pioneered by the European Commission, ‘Smart Dispatcher for Secure and Controlled Sharing of Distributed Personal and Industrial Data’, funded by the EU in Horizon 2020 programme.

There is already a lot out there. About 60% of the world’s vehicles on the road are equipped with some form of ADAS.

Then there’s the other risk element of human behaviour: a recent US study found that 30% of drivers have toggled off their adaptive cruise control. Another 23% of drivers said they’ve disabled their assisted lane keeping system (ALKS) and the most common reason for drivers turning off ADAS features is that they find them ‘annoying’ or ‘distracting’.

As ADAS and assisted driving evolves and gradually expands over the entire car, we are working to make the use and understanding of information easier both for OEMs and insurers.

Taking LexisNexis® Vehicle Build as an example, this is our unique classification that identifies and categorises specific ADAS equipped features at the Vehicle Identification Number (VIN)-level. It enables insurance providers to establish the differences in risk profile associated with these features and their multiple clusters and combinations. Because the VIN leads to the registered vehicle owner, vehicle build data is considered personal, and therefore it is protected under GDPR.

Data roles and responsibilities under GDPR

Depending on each data function and the role of each participant in performing a connected vehicle service, GDPR defines the legal responsibilities as follows:

  • ‘controller’, is the participant who determines the purposes and means of the processing of personal data (which might be the vehicle OEM or the party holding the primary customer relationship)
  • ‘processor’, processes personal data on behalf of the controller
  • ‘recipient’, is a participant to whom/which the personal data are disclosed, whether a third party or not (which might be an app, financial service provider or other intermediary necessary for performing a service)
  • ‘third party’, is a participant other than the data subject, data controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Certain parties can perform the role of data processors or data controllers depending on the jurisdiction. These are sophisticated legal relationships specified in commercial contracts and service level agreements. But it’s enough to state that whether data is processed on the basis of consent or legitimate interest – the legitimate legal requirement to perform a back-end function – none of these can override the GDPR requirement to protect the “fundamental rights and freedoms of the data subject”.

No matter the role they assume, companies have to fulfil the obligations stated earlier. This requires the ability to ensure data security, data inventory processes, anonymisation in the right places and in the right instance, data accuracy, minimisation and transparency. The data journey from the initial car purchase to rolling out of the showroom fully insured and connected to the Internet may look like a winding road, but there are many experts making this happen.

How it works in the real world

Finally, here’s a real world example of how insurance is changing with the connected car and the features that are available from the dashboard. Let’s suppose ‘Average Joe’ bought a new-generation Volkswagen Golf that comes with all the latest ADAS features, such as Proactive Occupant Protection (similar to Mercedes-Benz Pre-Safe), multi-collision brake system, adaptive cruise contol, lane keeping assist, automatic emergency braking, and much more. It also comes with an embedded e-commerce platform thanks to Average Joe’s personal Volkswagen ID available to users on request.

Average Joe will be able to shop for insurance directly from the website of his chosen automotive brand, or even in the showroom from the dashboard or infotainment system. If he chooses a lease car his insurance options will be bundled together with other services. He is keen to get a discount, since he spent a lot on his new car.

Shopping around, Average Joe asks for three quotes from insurance companies he has used before or has heard about. He has in his hands the car manual, with all the technical details, but he does not understand most of it. He is relieved when one of the companies informs him that it can get all the ADAS information about his brand new VW directly from the manufacturer, together with his insurance history and all the details needed to come up with a quote.

The next step is between the insurer and LexisNexis Risk Solutions. By accessing the LexisNexis® Vehicle Build platform, the company will receive the OEM data, ready to ingest into the insurance onboard process, with a vehicle safety score and augmented with a ready-made (device-agnostic and on-demand) telematics score for the driver if required. With that in hand, the insurance provider can make a highly informed decision and offer Average Joe a good, competitive price.

Behind the scenes, a lot of work has already been done between LexisNexis Risk Solutions and OEMs. In this process, everybody in the chain benefits, and it is about minimising the data integration, data collection costs, leveraging the power of an equitable data platform, and bringing this transformation into the mainstream.

LexisNexis Risk Solutions, part of RELX, is a global data technology and advanced analytics leader, with customers in over 100 countries worldwide.

Automotive Insights

LexisNexis Automotive Insights is the go to resource for discussion on helping you maximize your data productivity and efficiency to help improve the car ownership experience.