GDPR is here!
The GDPR deadline has arrived so we thought it might be helpful to do a quick recap of what it is and what some of the key considerations are if you are a NZ based company interacting or intending to interact with the EU.
What does GDPR stand for?
General Data Protection Regulation
What is GDPR?
It is a new European Union (EU) data privacy law that came into full effect on 25 May 2018. It is a replacement for the 1995 Data Protection Directive, which had previously set the minimum standards for the processing of data in the EU.
The purpose of GDPR is to create a unified data protection framework across the EU. It comprises a new set of rules designed to give EU citizens more control over their personal data. It will significantly strengthen the rights of individuals giving them more power to demand companies to reveal or delete the the personal data that they hold.
GDPR is important, and it effects everyone. Almost every aspect of everyday life revolves around data, from social media, to banks, retailers, government agencies - nearly every service we use or engage with involves the collection and analysis of our personal data. Your name, credit card number and a whole lot more are collected, analysed and stored by organisations.
And that is a very scary thought right!
The reforms are designed to reflect the digital age that we now live in and aim to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
What does GDPR mean for NZ Business
GDPR’s reach will extend to New Zealand companies doing business with EU countries or who have customers in the EU. So for example: if you have an email database that includes subscribers that live in the EU, then you will need to comply for those subscribers; or if you have a website in the EU, and are advertising to people in the EU, then you will need to comply.
Companies will need to demonstrate where customers' data is stored, it’s movement, how it will be protected and what it will be used for, and if you don't comply then the risk is a fine that could potentially cost the company a lot of money!
Key considerations for companies include
Customers have the right to be informed: the right to ask you about their personal data, how it is used, and why it is being used at any time.
Customers have the right of access: customers can request a copy of personal information at any time.
Right of rectification: people can update (or request updates to) personal information at any time.
Right of erasure: people may request that you erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Right to object: people can unsubscribe at any time from emails or communications.
Under the GDPR, there are six general principles of data privacy which need to be taken into consideration and embedded in company data and information practices:
1. Lawfulness, fairness, and transparency of data processing
2. Purpose limitation: personal data should be collected for specific, explicit and legitimate purposes
3. Data minimisation: only personal data relevant to the specific purpose should be saved and processed
4. Accuracy of data: any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up to date.
5. Retention of data: data must be kept in an identifiable format and no longer than necessary
6. Integrity and confidentiality: data must be kept secure
Some important terms and definitions to understand:
'Personal data' includes anything from a name, a photo, an email address, a computer IP address or health information, for example. Data processing could be anything from obtaining, recording or holding the data or carrying out any actions with it.
'Data controller' means the organisation “which [...] determines the purposes and means of the processing of personal data”.
'Data processor' means the organisation “which processes personal data on behalf of the controller”. Unlike the old data privacy directive, the GDPR will affect data processors, as it will place them under obligation to comply with certain data protection requirements that only applied to data controllers before.
So, for those doing business in the EU you should have your compliance plans in place and for those intending to do business in the EU, a compliance plan needs to be in place prior to engaging.
The office of the privacy commissioner has a number of helpful resources and links:
For a basic overview of GDPR: