GDPR and Parking: comply or simplify?

GDPR and Parking

The parking industry drives more innovation than it gets credit for. The parking experience has been stressful and inefficient for too long, but now we’re starting to see technology offer more convenience, and a smoother process. Soon you can download our 17 trends for smarter parking to learn more.

GDPR has been talked about for some time. Most GDPR conversation in the context of parking is related to the collection of fines or the management of debt data. Enforcers surely have a lot to think about in this regard, but for CCV customers this isn’t the primary question around GDPR and Parking.

As a car park operator, how does GDPR affect your ability to take payments and register customers for your parking service? Should you aim to comply, or go a different route so that GDPR compliance isn’t even a consideration? This article will explore your options.

What is GDPR?

GDPR stands for General Data Protection Regulation. Back in 2012, the EU agreed to revamp its data protection laws in light of the digital revolution. The regulation consists of a set of rules to provide more control to European citizens over the handling of their personal information. It’s about managing data securely, ensuring privacy, and gaining explicit consent for any data use. It came into effect in May 2018.

Organisations are now obliged to acquire and protect data legally, and actively prevent misuse. Every organisation that operates within the European Union is bound to comply, but so are external non-EU organisations that work with customers and clients inside the EU.

Sensitive data includes names and addresses, photographs, IP addresses, and genetic or biometric data. Not only will organisations be forced to manage this data with more care, but citizens have the legal right to be told when their information is compromised. There must also be more transparency into how data is managed by the organisation, and EU citizens now have the “right to be forgotten”.

Organisations are held responsible for breaches. Huge fines are in place for those who don’t comply; ranging from €10 million to 4% of annual turnover. To ensure compliance, large-scale data handlers are obligated to employ a data protection officer (DPO). In some cases, failure to do this will result in a charge of non-compliance.

It’s a complex web of rules. To read them in full, here is the document.

The challenges of compliance

As I’m sure you are aware, there are inherent challenges in complying with GDPR. As recorded in this McKinsey report, and this APP solutions article, these are roughly broken down into:

  • IT implementation
  • System audits and assessments
  • Security controls and breach reporting
  • Data management processes
  • Automation of records
  • Organisational training
  • Budget planning

The McKinsey report also comments:

At a time when individuals are becoming more aware of their rights and more concerned about the use of their personal data, companies must prepare for requests from a range of stakeholders: not just clients and regulators, but interest groups and the media as well. Even compliant organizations run the risk of reputational damage if customers perceive they are not treated fairly. Regulatory reporting requirements and rising customer expectations also put pressure on companies to respond quickly if an adverse event should occur.

It’s no mean feat to ensure bulletproof compliance. The regulation applies concrete rules, rather than vague principles. In some ways, this makes it simpler. In other ways, it leaves less room for manoeuvre.

To GDPR or not to GDPR? That’s the question.

Here are some sentences you’ll have heard a lot in recent years:

  • You must know your customers deeply
  • You must gather and monetise data
  • You must personalise the experience
  • You must optimise targeted advertising

Data is king, according to many experts. However, we would argue that this opportunity to use data isn’t so clear in the fog of GDPR. Commentators champion the potential for using data in smart ways, but not enough organisations are asking whether that actually applies to their individual situation.

The reality is that managing large-scale data has big overheads, including (but not limited to) the employment of a DPO. As we’ve seen from the fines for lack of compliance, handling data also carries more risk than it used to. Is it worth it? In the context of parking, let’s look at two scenarios…

Yes, GDPR is worth the hassle.

Off-street (barriered) car parks, especially those linked to retail and hospitality centres, can certainly benefit from using customer data. It’s already happening in big ways.

Major shopping centres have introduced paid parking, with exemption for customers who register on the brand’s official app. This digital platform records their number plate, alongside key information about their age, gender, address, car model, and more. The parking experience is seamless thereafter, with Automatic Number Plate Recognition (ANPR) giving automatic access and departure. Super convenient.

The shopping centre will then use this data to create profiles for who is in the vicinity at any given time. This insight is used to create compelling offers in retail units and customise advertising banners. It can also deliver personalised discounts to the driver’s smartphone by using push notifications.  

In the long-term, the data is used to schedule specific events at the best times, and project economic value based on demographic information, the owner’s car model, and behavioural patterns.

Put simply: it is possible to realise the full value of this data. And it could be valuable enough to justify the compliance and management overheads. But as an organisation, you should consciously decide whether this is can be realistically achieved. In order to realise the full value of data, you will need more than a name and address. This deeper data forces an extra layer of protection, which can add complexity.

Can you avoid the exposure?

Ad-hoc payment solutions carry no GDPR exposure risk. CCV has developed a tap-in and tap-out system for our parking industry clients, whereby the driver will use a contactless (NFC) payment terminal with their credit/debit card or smartphone wallet on entry, and do the same on exit to complete payment.

This carries supreme convenience, bypassing the need for the customer to queue at a machine, display a ticket, or fumble around for coins in the glovebox. The experience is swift, simple, and secure. Customers doesn’t feel like they’re surrendering an inordinate amount of information. From the operator’s point of view, transaction data can still be visualised without personal information being in the equation.

There is an inherent value in this simplicity, especially if there is no clear plan on how to realise the value of customer data in the long-term. For on-street parking, there is less incentive to record customer data. We would usually advise the simple payment solutions in this case; perhaps offering flexibility of SMS or contactless payments, depending on driver preference and infrastructure.

GDPR and Parking: summary

Let’s make payments happen. That’s the motto of CCV, and we stick by it. There are certainly benefits to using data if it suits your organisation, and our technology supports real-time data feeds of transactions to intuitive dashboards; or third party applications. A number of our clients have done this with success.

The nuanced view on this is: data is powerful, and if you can realise the value of managing huge datasets it makes sense to invest in this capability. But for lots of parking industry stakeholders, this level of data management is simply overkill. We should avoid a blind obsession with data, without the balance of understanding if it’s necessary or if it adds too much complexity, risk, and costs to business operation.

Whether you need ad-hoc contactless payment terminals or a tokenised account-based solution, CCV can help your parking organisation. We adapt to your unique requirements and deliver the payment solutions to delight your customers and grow your business.

Image: Pixabay

About the author

Simon Wood is an energetic international business professional with experience of working with innovative industries in the UK and overseas. Experienced developer of channel and partnership routes to market for both products and service offerings. Enjoys the opportunity to develop the strategies used to deliver results. You can contact him at and +44 7885 433 457.