Pilot #2: Compliance-as-a-Service for cloud-based collaborative automotive management in a cross-organisational setting


The CAS automotive CRM (Customer Relationship Management) system, which is used in this trial, caters to the needs of multiple stakeholders participating in the network of car dealerships. Today, car dealers use modern networking and computing capabilities that include online services that store and process their users’ personal data. Cross-organisational collaboration involves the full breadth of involved stakeholders within the automotive CRM context: car dealers, car manufacturers, suppliers, auto certification services, call centres, service providers, customers, lead data providers, vehicle license issuers, vehicle registration certificate issuers, employees, job applicants, leads, or even banks. The information processed in this trial includes personal information such as client and lead data, digitalised receipts, client activities, services provided to clients, or interactions of all stakeholders with clients and leads. The aim of the trial is to enforce GDPR compliance in typical settings in which car dealerships conduct their business and network. The aim of the trial is broken down into the following three research and innovation goals:

  1. Enforcement of the data subject rights in cross-organizational operations. This research objective requires the implementation of the management of retention periods, the right to erasure, and the management of the data transfer processes.
  2. Enactment of process reengineering for GDPR compliance, which should improve existing customer management processes in line with the GDPR regulation.
  3. Improvement of data security by performing a risk assessment of the trial and subsequent implementation of security mechanisms and measures to overcome the discovered risks.

Three use cases compose the CAS automotive CRM trial. Use case 1 for the digitalisation and automatic workflows; use case 2 enacts cross-organisational collaboration; use case 3 provides cross-organisational lead generation and management.

Detailed description of the use cases

Use case 1: digitalisation to automatic GDPR-compliant workflows

The digitalisation entails data modification processes that need to comply with GDPR including customer self-service processes, such as service appointments, or customer satisfaction surveys. The processes are improved in this use case based on the discoveries done by applying process mining to automotive dealer data. Relevant processing operations taking place in automotive IT environment (for instance CRM, dealer management system, document management system…) are listed below:

  • Collection of consent, vehicle inspection data, vehicle repair requests, and vehicle inspection appointments.
  • Storage of vehicle inspection data, vehicle repair requests, digitalised repair receipt, and vehicle inspection appointments.
  • Disclosure by transmission, dissemination or otherwise making available of digitalised repair receipt, vehicle inspection appointments, vehicle inspection data, and vehicle repair requests.
  • Consultation, use, and erasure of the above data.

This use case focuses on the following test cases and tools:

  • CAS.1 — GDPR-requests and consent management: user-centred tools.
  • CAS.4 — Improve process in line with GDPR: process mining and discovery tool.


Use case 2: enforce subject rights across multiple systems

Use case 2 shows the preliminary assessment of the impact analysis of this use case as data subjects, car dealerships, the BPR4GPDR user-centred tools, vendor-specific marketing tools, vendor-specific product configurator, OEMs (Original Equipment Manufacturers), dealer management systems (DMS), and other systems perform processing operations in each workflow step. The processed information includes personal data of the data subject, consent information, car data, repair data, leasing contracts, leasing configuration of contracts, marketing campaigns, and data subjects’ signatures.

The use case entails gathering consent to undertake the follow-up leasing campaign upon the immediate or prior consent given by the data subject. It involves the participation of the data subjects to give their consent as well as the car dealership’s automotive CRM system and vendor-specific marketing tools, product configurators, and data management systems (DMS).

Follow-up leasing campaign workflow

This use case focuses on the following test cases and tools:

  • CAS.2 — Right to erasure across multiple IT systems: user-centred tools.
  • CAS.3 — Management of retention periods: user-centred tools.

Use case 3: risk assessment of cross-organisational lead management

Use case 3 involves data subjects, car dealerships, lead agencies, address brokers, OEMs (Original Equipment Manufacturers), and other systems perform processing operations in each step of their collaborative workflow. The information these stakeholders share include contact data of the natural persons constituting data subjects, lead generation criteria and other sensible information. The process will be assessed and improved with regard to its compliance with GDPR by using the risk assessment tool, apply improved security measures and again assess the risk. The following are the most relevant processing operations that take place in cross-organisational automotive CRM systems with regard to use case 3:

  • Storage of test drive requests, leads data, and web surfing data.
  • Secure disclosure by transmission, dissemination or otherwise making available of test drive requests, web surfing data, generated leads, and lead generation criteria.
  • Statistics on and combination of test drive requests, web surfing data, and leads data.
  • Erasure or destruction of test drive requests, web surfing data, generated leads, lead generation criteria, leads data, and personal data.

This use case focuses on the following test cases and tools:

  • CAS.3 — Management of retention periods: user-centred tools.
  • CAS.5 — Risk assessment: risk assessment methodology.
  • CAS.6 – Release of anonymised information: encryption & anonymisation tools.