GDPR, CCPA, LPPD - more and more countries are adopting comprehensive data protection regulations that local companies in particular have to comply with. For operators of globally connected car fleets, this can lead to enormous challenges in terms of platform setup and compliance management. We discuss why the automotive industry in particular should pay special attention to data protection and how these requirements can be dealt with with Jörg Tischler, responsible for the Connected Car division at T-Systems.
Detecon: Mr Tischler, why do car manufacturers have to deal so intensively with data protection issues?
Jörg Tischler: Modern vehicles are highly complex systems. They not only take me from A to B, but also collect an impressive amount of highly interesting data on the way there - my GPS history, the tracks of the current Spotify playlist or even biometric data records in the direction of eye tracking and voice patterns. This is primarily due to networked services: the more data that can be integrated here, the more I can personalise services to meet customer needs. This personalisation opens up new possibilities for me as a provider, but conversely also brings with it the need for a solid data protection concept.
What other systems need to be considered here besides the vehicle itself?
Connected cars typically have a strong exchange with a backend connected service platform. Many of the services that are available in the head unit or mobile app are centrally coordinated here and supplied with the necessary information. It is therefore imperative that such a backend complies with the respective data protection regulations in order to enable secure data exchange with the vehicle. Connectivity between the vehicle and the backend also plays an essential role. Mobile data connections, for example via integrated SIM cards or dongle solutions, must be appropriately secured in order to avoid data loss or leaks during transport.
Most car manufacturers now address global sales markets. As a manufacturer, how do I deal with sometimes extremely heterogeneous regional data protection requirements?
Two points: High internal standards and a powerful, flexible platform architecture. A modular, hyperscaler-agnostic system remains operational and scalable even in the face of diverging regulatory requirements. Combined with consistently high demands on internal organisational and process design, automotive OEMs can thus establish themselves as reliable data stewards even in regulatory challenging markets without having to fall back on inefficient regional special solutions or reduced functional scopes.
What constitutes data stewardship and what are the advantages compared to more opportunistic data protection approaches?
Data stewardship is based on the realisation that high-quality and well-structured data sets are essential prerequisites for the long-term success of digital service and platform models. In the context of data protection, the focus is naturally on personal data, but the basic concept remains the same - responsible handling of the data sets available in the company. This naturally includes obtaining the necessary customer consents and comprehensive protective measures against unauthorised use of this data. A consistent orientation towards the responsibilities of the data steward and general data governance best practices prepares the organisation for long-term and carefully designed data processing, which is certainly in the spirit of many data protection frameworks. While this proactive approach may initially lead to additional investment, it is far more resilient than reactive compliance efforts that must inevitably deviate from core architectural principles and thus cause an increase in future legacy components. The use of these insufficiently integrated platforms and special solutions leads to significant inefficiencies and associated higher operating costs in the long term.
An exemplary data protection system should of course also appeal to the end customers...
Correct. In the past, car manufacturers have positioned themselves strongly on safety and comfort. Data protection is security - transferred to the digital space. And convenience also means that my contact data will not be misused as a result of data leaks. Solid data protection management is simply a core requirement for any business model around digital platforms and service subscriptions. This is especially true for the automotive industry.
In future, should we expect to be subjected to a data protection disclaimer before every engine start?
I hope not. Numerous web providers have already demonstrated very convincingly how data protection should not work with disclaimers and cookie regulations. In the context of connected cars, we already see very promising approaches to effectively and unobtrusively request user consent, feed it into the relevant business processes and secure them accordingly. The necessary ideas and concepts are there. The design requires focus and concrete planning. These kinds of projects and requirements are just starting at our customers and require a high level of professional and technical integration knowledge.
Thank you very much for the interview!
For deeper insights around privacy in the connected car context, we recommend a look at our whitepaper "Global Privacy Management for Connected Vehicle Fleets".