Who Owns Your Dealership's Data?

I had an interesting conversation recently about data. About its value. About who owns it.

The conversation stayed with me, so I went to investigate what POPIA allows.

It comes down to one question.

Who owns the data in your dealership?

Most leaders answer without pausing. The contract says we own it. The system is ours. The customer is ours.

POPIA does not work that way.

Dealers speak about data as an asset. Providers call it a revenue stream. The presentations talk about monetisation, customer intelligence and predictive analytics. The language sounds sophisticated. The control underneath it is often far less so.

Data is valuable. That part is settled. The harder questions are who owns it, who may use it and what the law allows. South Africa does not answer the first one the way most dealers expect. POPIA hands ownership of personal information to nobody. It works through responsibility and purpose, and it sets limits on use. Ownership is not the test. Control and lawful purpose are.

So the real question is not whether your data is valuable. It is. The real question is who controls it, who may use it, who profits from it and what POPIA allows each party in the chain to do.

Many businesses cannot say who has access to their data, what those parties may do with it, what it costs to extract or what happens when the relationship ends. Automotive retail carries more of this exposure than most industries.

A dealership management system sits at the centre of the operation. It holds customer details, vehicle and sales records, finance activity, workshop history, parts transactions, leads, invoices and management reporting. The dealership relies on it to operate. The customer relies on the dealership to protect it. The provider controls the system through which most of it moves.

That creates a simple question with a complicated answer. Who actually controls the data?

Related operating context: Who Controls the Lead Before You Meet the Customer? – What the Automotive Industry Gets Wrong About Customer Experience – What Automotive Retail Teaches You About People.

A warning from another market

In another market, a major dealer technology provider agreed to pay hundreds of millions to settle antitrust claims that it restricted access to dealership systems and drove up the prices software vendors paid to reach dealer data. The provider denied wrongdoing.

That case was about competition and platform access, not privacy. The distinction matters. The power did not come from selling a customer list. It came from controlling the gateway every other provider needed to reach dealership information.

The dealerships generated the transactions. Their staff captured the information. Their customers supplied much of it. The platform still held the controlling position. A business can generate the data, own the customer relationship and still depend on someone else for access to it.

That should unsettle any dealer group that calls data one of its assets.

The ownership question is too simple

The first response is predictable. The contract says we own the data. That sentence protects less than most leaders think.

Ownership language does not say how fast you can get a complete export, in what format or at what cost. It does not deal with historical records, attachments, audit trails or data held by subcontractors. It does not say whether the provider may aggregate the information, use it to build products, train models, create benchmarks or sell insights to others. It does not say what stays on the provider's systems after termination.

You can hold an ownership clause and still hold very little control. The reverse also applies. A provider can hold and structure the information without an unrestricted right to use it.

Possession, ownership, access and lawful use are different questions. POPIA treats them as different questions. The industry treats them as one. They are not.

Dealership data is not one thing

The phrase "dealer data" hides several categories.

Customer personal information. Names, contact details, identity numbers, financial and credit information, communications and marketing preferences.

Vehicle information. VIN, registration, ownership, mileage, repair history and warranty activity, which becomes personal information once linked to an identifiable person.

Employee information. Sales performance, workshop productivity, system activity, call recordings and user logs.

Commercially sensitive information. Stock levels, vehicle ageing, discounts, margins, pricing, lead conversion, finance penetration and branch results.

System-generated information. Usage patterns, integration records, timestamps and error logs created through the platform itself.

Aggregated information. Your results combined with results from other dealerships to build benchmarks and market products.

Each category carries different rights, obligations and value. Calling all of it "our data" skips the work of understanding what it is. POPIA does not let you skip that work.

What POPIA actually allows

South Africa's Protection of Personal Information Act does not hand one organisation universal ownership. It works through responsibility.

The data subject is the person the information relates to. The responsible party determines the purpose and means of processing. An operator processes the information for the responsible party under a mandate.

A dealership usually acts as the responsible party for information collected during a sale, a finance application, a service booking or a follow-up. A DMS, CRM or hosting provider usually acts as an operator, processing it on the dealership's instructions. That role changes the moment the provider decides what else the information will be used for. A provider using your data for its own product development, benchmarking or commercial analysis is making its own call on purpose and means. The contract label does not settle it. The conduct does.

POPIA also sets the limits. Personal information must be collected for a specific, explicitly defined and lawful purpose. The customer must be aware of it. Further processing must be compatible with the original purpose.

So what does POPIA allow? Processing for the purpose the customer was told about, and for purposes compatible with it. A customer who hands over information for a finance application has not authorised every later use. A service booking is not consent to a marketing product. A website lead does not become an unrestricted asset because it entered the CRM.

The original purpose matters. The later purpose matters. The distance between them matters.

Monetisation changes the conversation

Monetisation is sold as a natural next step. You hold the information, the information has value, the commercial team earns from it. The logic skips a step. Monetisation introduces a new purpose, a new beneficiary and often a new recipient.

POPIA does not ban this. It conditions it. You need a lawful basis, a defined purpose, a clear view of who receives the information, the safeguards and the retention period. Consent is one basis. It is not the only one, and a broad privacy policy does not create it. "The system allows us to" is not a basis. "Everyone else is doing it" is not a basis.

A customer expects a dealership to use information to process a purchase, and to pass certain details to a bank, insurer, OEM or warranty administrator as part of the deal. The same customer may take a very different view of that information being packaged into a product that pays parties outside the deal.

Aggregated data still requires discipline

Businesses often answer that the information is anonymised. That reduces risk. It does not end the question.

Removing a name does not always remove the ability to identify the person. A VIN, a service history, a location pattern or a combination of fields can lead back to an individual. POPIA stops applying to de-identified information only where it cannot be re-identified. The bar is higher than deleting the obvious fields from a spreadsheet.

Aggregation also carries a commercial edge. A provider with data across many dealer groups can read the market better than any single dealer. That can support useful benchmarking. It can also move bargaining power to the party with the widest view, while the dealers supplying the raw data get nothing back. You should know what is aggregated, who receives the output, how competitors are separated, how re-identification is prevented and how the value is shared.

Data access is also a competition issue

South Africa already links information access to competition in the motor industry.

The Competition Commission's automotive aftermarket guidelines treat access to technical information as a condition for effective competition. They require certain OEM technical information to reach independent service providers on reasonable terms, while protecting intellectual-property and privacy rights. Those guidelines cover technical repair information, not customer databases. The principle still holds. Control over information decides who competes.

A DMS provider controls more than storage. It controls integration approval, interface availability, extraction cost, migration timing and the conditions under which another provider operates. Those controls shape your choice of CRM, analytics, lead management, workshop and reporting tools. The supplier becomes part of your competitive structure. That deserves the scrutiny you give any major dependency.

The cleanest control test is the exit test

Most businesses learn the strength of their data rights when they try to leave.

The contract says you own the data. The export arrives unusable. Attachments are missing. History is incomplete. Custom fields have vanished. Support carries an unexpected fee. The migration runs for months while the operation stays tied to the old system.

That is not control.

A proper agreement settles exit before the relationship starts. It fixes the export format, delivery time, historical scope, cost, support and attachments. It deals with audit trails, backups, derived information, subcontractors and deletion after termination. It covers how you keep trading during the move, what the provider may retain and the provider's rights over aggregated outputs.

The ownership clause is one line. The exit terms show the real position.

The security risk stays with the business

Outsourcing the system does not outsource the responsibility.

POPIA requires the responsible party to secure personal information through reasonable technical and organisational measures, to bind the operator to the same in writing and to be told when the operator has reason to believe unauthorised access has occurred.

The dealership stays the visible party. The customer calls you. The regulator asks who set the purpose. Management explains who had access, what controls existed, how fast the breach was found and what followed.

At that point the supplier contract matters and the supplier's security slide deck matters far less. You should know where your information sits, who can reach it, which providers use subcontractors, which systems connect and how an incident moves through that chain. A list of approved suppliers is not a data map.

What leadership should demand

Data governance cannot stay a compliance file leadership sees once a year. These questions belong with the people running the business.

Hold a current map of the information moving through the dealership. Where it starts, which systems receive it, which third parties have access and which purpose attaches to each transfer.

Make every material technology contract define access, security, further use, integration and exit. Make every proposed data revenue stream state what information creates the revenue, whose it is, who receives it, what the customer was told and what risk stays with the dealership. Make every provider using aggregated information explain the method, the re-identification controls and the rights in the output.

Know how long you can trade without your primary DMS, and how you recover the information needed to keep going.

These are operating questions. Treating them as legal wording after the deal is signed is how businesses lose control.

Back to the question

Data can produce better decisions, stronger retention and new income. It can also produce dependency, liability and hidden market power. The same database can be all of them at once.

So return to where this started. Who owns the data in your dealership?

POPIA gives an uncomfortable answer, and an honest one. Nobody owns it the way you own a building or a vehicle. The customer holds rights in it. The dealership holds responsibility for it. The provider holds access to it. POPIA does not hand you ownership. It hands you accountability for the purpose, the use and the protection of the information.

That changes the question worth asking. Not "do we own our data," but "can we account for it." Who can reach it. Who may use it. Who profits from it. What the customer was told. What POPIA allows. What happens the day you try to leave.

A dealership that can answer those questions controls its data. A dealership that cannot does not have a data asset. It has a dependency it has not yet measured.

---

Personal views only. Content does not represent any employer, partner, client, association or organisation. This article is general commentary and education, not legal, financial or professional advice.

Sources

1. Reuters, Auto tech firm CDK reaches $630 million settlement in US dealer data case, 28 January 2025.
2. Protection of Personal Information Act 4 of 2013, particularly sections 1, 13 to 15 and 18 to 23.
3. Competition Commission of South Africa, Guidelines for Competition in the South African Automotive Aftermarket, 2024, section 12.