UK associations launch initiative to strengthen vehicle data deletion practices

Published on February 25, 2026

An industry-wide initiative to strengthen data deletion practices has been launched in the UK used car and van sector.

Backed by the Vehicle Remarketing Association (VRA), the new Data Deletion and Privacy Protection Certificate was developed with input from auction operators, compliance experts, and technology providers by the National Association of Motor Auctions (NAMA).

It addresses data deletion procedures, auditability and reporting, operational workflows, and General Data Protection Regulation (GDPR)-aligned governance.

“Legal analysis and regulatory expectations make clear organisations handling vehicles — including rental, leasing, fleet and remarketing businesses — become data controllers for personal data stored in a vehicle once it returns to their possession,” said Jonathan Butler, VRA legal counsel and partner at Geldards, in a VRA press release.

“Failing to delete this data before the vehicle is passed to another user may constitute unlawful processing and a personal data breach, potentially contravening several articles of UK GDPR. The new NAMA certificate provides the means for the automotive industry to take decisive action to protect consumer privacy as connected vehicle features continue to expand the volume of personal data stored in modern vehicles.”

VRA member Privacy4Cars is the first approved supplier under the initiative, following assessment of its data-deletion platform, which met key requirements, ensuring that personally identifiable information (PII) and other sensitive data are removed from vehicles in a consistent and verifiable manner before resale, the release states.

“As cars and vans incorporate more and more digital technology, the responsible management of the personal data stored in them is becoming an increasingly acute issue,” said Philip Nothard, VRA chair, in the release. “From navigation histories and call logs to synced contacts and messages, modern vehicles routinely store sensitive information, and when those vehicles are returned, resold, or remarketed, that data frequently remains.”

The release adds that, under the GDPR, any organization that determines the purposes and means of processing personal data becomes a data controller. When a rental, leasing, fleet, or remarketing business regains possession of a vehicle, it assumes control over the data stored within it, it states.

“Passing a vehicle to another user without erasing the data may amount to unlawful processing and a personal data breach,” the release states.

VRA notes that relying on customers or staff to delete data is not GDPR-compliant.

According to the GDPR and Data Protection Act 2018, anyone responsible for using personal data must make sure the information is:

    • used fairly, lawfully, and transparently;
    • used for specified, explicit purposes;
    • used in a way that is adequate, relevant, and limited to only what is necessary;
    • accurate and, where necessary, kept up to date;
    • kept for no longer than is necessary; and
    • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

A panel discussion at a Collision Industry Conference (CIC) meeting last year covered an important step in the total loss process for collision repair shops to keep in mind — erasing PII from vehicles.

Matthew Pitta, Lucid’s body repair technical team manager, explained that on the OEM’s vehicles, there is a series of steps to go through on the center display to delete PII. Pitta said Lucid is working on a pass/fail visual checklist for shops to follow for total losses. Once available, shops will be required to upload photos to prove completion of the checklist.

Scott Webber, with Copart, said if his company discovers any PII in a vehicle, it’s secured, including on vehicle apps, such as GPS and infotainment systems. They’ll follow OEM steps to reset the vehicle to factory settings, but only if the seller requests it or the process is automatically included in certain contracts.

Christina Sepulveda, SPARK Underwriters’ director of customer experience, noted that when shops remove PII, cyber liability risk is reduced.

Images

Featured image credit: Just_Super/iStock

Continue reading on website
Other news

Utah OEM replacement parts bill passes House

February 24, 2026
A bill in Utah that would require the use of OEM crash parts has passed the House following a favorable recommendation from its Transportation Committee.As amended, HB 119 would require auto insurance policies at the time of purchase to include “ a clear and conspicuous disclosure of whether the insurer intends to use non-OEM aftermarket crash parts or OEM aftermarket crash parts for repairs.”It w

Rhode Island legislators reconsidering appraisal deadline bill

February 25, 2026
A bill has been introduced in the Rhode Island House that would increase the minimum number of days insurance companies must complete vehicle damage appraisals, as requested by auto body repair shops, from three to four.H 7604 would also increase the penalty for failure to have an appraisal performed by a licensed appraiser from $2,500 to $5,000. It is similar to a bill that was introduced in the