We aim to respond to all messages within 1 business day. You'll be hearing from us soon!
In the meantime, perhaps you'd like to learn more...
In our November and March client newsletters we made mention of GDPR – General Data Protection Regulation – a prolific new data privacy law that will come into force in May 2018. The comprehensive new legislation aims to bolster protection of personal data and online privacy for users in all EU states and applies to both legacy data and any data collected hence forth. With potentially business-folding penalties for non-compliance and the date of enforcement looming, we thought we’d dig deeper into the ramifications of GDPR… who it effects in New Zealand, how to go about achieving compliance and our approach here at Apex Digital.
What is GDPR?
The General Data Protection Regulation has been established with the primary objective of creating a single, coherent framework for the protection of data across the EU. Now, DON’T STOP READING BECAUSE WE’VE MENTIONED THE EU twice now and you don’t see the relevancy as you’re based in New Zealand. Regardless of where a business is based in the world, if it targets with marketing or sales messages, offers goods or services to, or monitors the behaviour of individuals within an EU state, it needs to be GDPR-compliant. This means any NZ businesses who collect or hold personal data from residents of an EU state need to sit up and pay attention.
We view the GDPR as a good thing because it is outlines a thorough set of obligations and principles for companies to meet and follow that will increase privacy rights and data protection for individual online users, in turn hopefully reducing scandals like the recent unsolicited personal data harvesting of an estimated 87 million Facebook users by Cambridge Analytica, and the general misuse of personal data. In layman’s terms, GDPR tightens the belt on how companies go about acquiring and processing personal data (names, email addresses, photos, computer IP addresses, etc.) and how they handle, and store said data after it has been collected.
As a website owner, you need to be sure that you are abreast of this new law so that you don't fall foul of it, especially since a website is an important channel for the collection of data via web forms such as contact forms, application forms and newsletter subscriptions etc.
GDPR consists of six general principles of data privacy:
Who does GDPR impact?
As mentioned above, the aspect of GDPR with the most gravitas is that the legislation no longer only applies to companies located within the 28 European Union countries. Its reach now extends to any company dealing with personal data for EU state residents, regardless of which country the company operates from. For instance, a New Zealand news website that collects email addresses via a membership platform will be subject to GDPR compliance should they have members in a European state.
To identify whether your company needs to adhere to GDPR, ask yourself the following:
The main players in the GDPR equation are:
It’s important to note that all parties have new rights and responsibilities under GDPR. The individual has the right to request all personal data a controller holds about them and evidence of their consent to hold the data and how it’s protected, but most importantly: the right to have this data deleted. Unlike under the old Data Protection Directive (the legislation GDPR superseded), data processors are now directly liable for compliance with certain parts of the Regulation.
Will Brexit mean British customers aren’t covered by GDPR?
While the United Kingdom’s exit from the European Union is imminent, this will not relinquish UK companies of their GDPR obligations. Instead, UK companies will still have to follow GDPR for their dealings with personal data pertaining to EU residents. Most importantly for Kiwi companies, all indicators are saying that even post-Brexit, the UK will implement personal data and online privacy regulation just as demanding as GDPR, so any data already held or to be collected from UK residents should undergo the same scrutiny as any other GDPR-affected EU state.
Penalties for non-compliance
GDPR has in fact been in existence since April 2016, requiring organisations holding, transmitting or processing EU resident data to comply with the law. The major development that we are speaking about today is the approaching enforcement of the law, which will begin on 25 May 2018. Enforcement agencies have already begun visiting companies in the EU to assess compliance and are expected to do so in other countries including the United States as soon as mid-2018.
The financial penalties for non-compliance are enough to get even the biggest corporations thinking – either 4 per cent of annual global revenue or 20 million euro (whichever is greater).
What’s involved in being compliant?
The number one most important thing to think about when considering your GDPR compliance is that the Regulation applies to both legacy data you already possess, and any data you collect in the future. This means the process used to acquire the legacy data needs to have met the current GDPR protocol. If it doesn’t, the data controller needs to try and gain consent from the individual to continue to hold and process their data. In the case that this isn’t successfully achieved, the data needs to be destroyed. We’ve heard of horror stories from the UK where companies have unfortunately had their data sets desolated through this painful, yet legally necessary process.
Businesses should already be creating detailed documentation and protocols for how EU customer data is collected and processed, and what actions will be taken to protect the data in the case of a breach. When consent is required (it isn’t always necessary if other processing conditions apply) the purpose for the data collection needs to be justified.
Documentation and mapping of data collection and processing is so important, not only to meet the GDPR requirements, but because individuals (customers) can attract enforcement action by lodging formal complaints to the GDPR supervisory authorities. Grounds for a complaint would be a company’s inability to promptly and completely respond to a customer’s request regarding their personal data. Companies need to be able to provide the individual with all data they maintain about them, how their consent was secured and how the data is secured and tracked on an ongoing basis, as well as any involvement by third parties.
How Apex are dealing with GDPR
While we are industry leaders in digital marketing, we are not lawyers! As such, we aren’t in a suitable position to provide legal advice for businesses impacted by GDPR. What we have been doing is contacting all our affected clients, informing them of the GDPR enforcement date and advising they seek legal advice to ensure they are taking the right steps to become and remain compliant. If you’d like to read more about GDPR, please feel free to peruse the reference articles and documents we’ve compiled from the Privacy Commissioner and others :
https://privacy.org.nz/privacy-for-agencies/gdpr-resources/
https://premium.wpmudev.org/blog/gdpr-compliance/
Written by Karyn Ogier
Here from the very beginning, Karyn was originally a co-founder of Apex Digital and carried the Strategy & Marketing Director title for more than two decades. Karyn switched gears at the end of 2018 when she returned to study in a new field. Now in a contract Content Writer capacity, she has a wealth of knowledge in the industry and has been...We aim to respond to all messages within 1 business day. You'll be hearing from us soon!
In the meantime, perhaps you'd like to learn more...