What is GDPR and why ignoring it could cost you 20 Million Euro

In our November and March client newsletters we made mention of GDPR – General Data Protection Regulation – a prolific new data privacy law that will come into force in May 2018. The comprehensive new legislation aims to bolster protection of personal data and online privacy for users in all EU states and applies to both legacy data and any data collected hence forth. With potentially business-folding penalties for non-compliance and the date of enforcement looming, we thought we’d dig deeper into the ramifications of GDPR… who it effects in New Zealand, how to go about achieving compliance and our approach here at Apex Digital.

What is GDPR?

The General Data Protection Regulation has been established with the primary objective of creating a single, coherent framework for the protection of data across the EU. Now, DON’T STOP READING BECAUSE WE’VE MENTIONED THE EU twice now and you don’t see the relevancy as you’re based in New Zealand. Regardless of where a business is based in the world, if it targets with marketing or sales messages, offers goods or services to, or monitors the behaviour of individuals within an EU state, it needs to be GDPR-compliant. This means any NZ businesses who collect or hold personal data from residents of an EU state need to sit up and pay attention.

We view the GDPR as a good thing because it is outlines a thorough set of obligations and principles for companies to meet and follow that will increase privacy rights and data protection for individual online users, in turn hopefully reducing scandals like the recent unsolicited personal data harvesting of an estimated 87 million Facebook users by Cambridge Analytica, and the general misuse of personal data. In layman’s terms, GDPR tightens the belt on how companies go about acquiring and processing personal data (names, email addresses, photos, computer IP addresses, etc.) and how they handle, and store said data after it has been collected.

As a website owner, you need to be sure that you are abreast of this new law so that you don't fall foul of it, especially since a website is an important channel for the collection of data via web forms such as contact forms, application forms and newsletter subscriptions etc.

GDPR consists of six general principles of data privacy:

1. Lawfulness, fairness, and transparency of data processing
2. Purpose limitation: personal data should be collected for specific, explicit and legitimate purposes
3. Data minimisation: only personal data relevant to the specific purpose should be saved and processed 
4. Accuracy of data: any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up to date.
5. Retention of data: data must be kept in an identifiable format and no longer than necessary
6. Integrity and confidentiality: data must be kept secure

Who does GDPR impact?

As mentioned above, the aspect of GDPR with the most gravitas is that the legislation no longer only applies to companies located within the 28 European Union countries. Its reach now extends to any company dealing with personal data for EU state residents, regardless of which country the company operates from. For instance, a New Zealand news website that collects email addresses via a membership platform will be subject to GDPR compliance should they have members in a European state.

To identify whether your company needs to adhere to GDPR, ask yourself the following: 

• Does your company offer EU residents goods and services? If so, you may also need to check on compliance of third parties involved in your website transactions as per the next bullet point
• Does your company rely on third parties who store or transmit data to or from EU states? 
• Does your company collect, transmit or process data pertaining to EU residents?

The main players in the GDPR equation are: 

• The ‘individual’ whose data is in question 
• The ‘data controller’ – the individual or organisation determining what personal data will be processed and how it will be done 
• The ‘data processor’ – anyone who processes the personal data on behalf of a controller (potentially a cloud provider or a company processing payroll)

It’s important to note that all parties have new rights and responsibilities under GDPR. The individual has the right to request all personal data a controller holds about them and evidence of their consent to hold the data and how it’s protected, but most importantly: the right to have this data deleted. Unlike under the old Data Protection Directive (the legislation GDPR superseded), data processors are now directly liable for compliance with certain parts of the Regulation.

Will Brexit mean British customers aren’t covered by GDPR?

While the United Kingdom’s exit from the European Union is imminent, this will not relinquish UK companies of their GDPR obligations. Instead, UK companies will still have to follow GDPR for their dealings with personal data pertaining to EU residents. Most importantly for Kiwi companies, all indicators are saying that even post-Brexit, the UK will implement personal data and online privacy regulation just as demanding as GDPR, so any data already held or to be collected from UK residents should undergo the same scrutiny as any other GDPR-affected EU state.

Penalties for non-compliance

GDPR has in fact been in existence since April 2016, requiring organisations holding, transmitting or processing EU resident data to comply with the law. The major development that we are speaking about today is the approaching enforcement of the law, which will begin on 25 May 2018. Enforcement agencies have already begun visiting companies in the EU to assess compliance and are expected to do so in other countries including the United States as soon as mid-2018.

The financial penalties for non-compliance are enough to get even the biggest corporations thinking – either 4 per cent of annual global revenue or 20 million euro (whichever is greater).

What’s involved in being compliant?

The number one most important thing to think about when considering your GDPR compliance is that the Regulation applies to both legacy data you already possess, and any data you collect in the future. This means the process used to acquire the legacy data needs to have met the current GDPR protocol. If it doesn’t, the data controller needs to try and gain consent from the individual to continue to hold and process their data. In the case that this isn’t successfully achieved, the data needs to be destroyed. We’ve heard of horror stories from the UK where companies have unfortunately had their data sets desolated through this painful, yet legally necessary process.

Businesses should already be creating detailed documentation and protocols for how EU customer data is collected and processed, and what actions will be taken to protect the data in the case of a breach. When consent is required (it isn’t always necessary if other processing conditions apply) the purpose for the data collection needs to be justified.

Documentation and mapping of data collection and processing is so important, not only to meet the GDPR requirements, but because individuals (customers) can attract enforcement action by lodging formal complaints to the GDPR supervisory authorities. Grounds for a complaint would be a company’s inability to promptly and completely respond to a customer’s request regarding their personal data. Companies need to be able to provide the individual with all data they maintain about them, how their consent was secured and how the data is secured and tracked on an ongoing basis, as well as any involvement by third parties.

How Apex are dealing with GDPR

While we are industry leaders in digital marketing, we are not lawyers! As such, we aren’t in a suitable position to provide legal advice for businesses impacted by GDPR. What we have been doing is contacting all our affected clients, informing them of the GDPR enforcement date and advising they seek legal advice to ensure they are taking the right steps to become and remain compliant. If you’d like to read more about GDPR, please feel free to peruse the reference articles and documents we’ve compiled from the Privacy Commissioner and others :

https://privacy.org.nz/privacy-for-agencies/gdpr-resources/

https://www.rsm.global/newzealand/news/cyber-series-gdpr-what-it-and-what-new-zealand-entities-need-consider

https://premium.wpmudev.org/blog/gdpr-compliance/

https://www.eugdpr.org/

https://www.opentext.com/campaigns/infosec-compliance/gdpr

https://www.cio.co.nz/article/598458/cio-upfront-implications-nz-organisations-new-eu-data-protection-regulation/

https://www.itgovernance.eu/blog/en/expert-gdpr-qa-international-transfers-brexit-and-eu-us-privacy-considerations