Failure to comply with the General Data Protection Regulation can have serious financial consequences.
In today's world of data breaches and overly personalised advertisements, many consumers are understandably concerned about the way companies collect, store and use their personal data.
Lawmakers in many parts of the world have heard and responded to these concerns in recent years by passing regulations for how personal data about individual citizens can be processed, stored and used. The most notable of these laws are known collectively as the General Data Protection Regulation, which went into effect in 2018. The European Parliament and the Council of the European Union established the GDPR to ensure greater protection of individual rights of EU members. Noncompliant companies face fines of up to €20 million or 4% of their annual revenue, whichever is larger.
Small businesses in New Zealand aren't exempt from the GDPR just because it's EU-based. These laws impact all corporations handling the data of European citizens, regardless of where they're based. In other words, companies in New Zealand that possess data belonging to a citizen of the European Union must ensure they comply with the GDPR. Failure to comply could result in fines on the same level as any brand operating within the EU.
What is GDPR?
While the ways companies harvest, extract and utilise data have evolved quickly in recent years, the laws protecting a person's information was lagging behind the growth at the time of the GDPR's introduction. The stricter regulations enacted a number of major changes as to how personal information is handled and outlined in comprehensive terms that apply to all facets of personal data use.
GDPR is based on the idea that EU citizens have a right to know what data about them is being held, how it is being used and what will happen to it in the future. They also have the right for their personal data to be deleted if they request it.
While the GDPR itself is relatively new, the principles behind it aren't. They're essentially updated versions of the principles set forth in the Data Protection Act of 1998. These are the basic principles of the GDPR:
Lawfulness, fairness and transparency: All personal data that companies collect must be processed lawfully, fairly and in a transparent manner. This means you must get proper consent from the customer and explicitly tell them how you're going to use their information.
Purpose limitation: Any data you collect should not be further processed beyond the specific, legitimate purposes you explained to the individual providing their data. Exceptions include archiving data in the public interest, for scientific or historical research purposes, or for statistical purposes.
Data minimisation: Your business should only collect the minimum amount of relevant data you need for your purposes.
Accuracy: All personal data your organisation stores must be current, and you must make reasonable efforts to keep your records up to date. You can't stockpile outdated records for potential use in the future.
Storage limitation: Your company should not keep personally identifiable data for longer than is necessary.
Integrity and confidentiality (security): Your company must establish advanced protection systems and data encryption processes. You also need to assign a designated employee to manage and maintain security.
Accountability: When it comes to breaches of GDPR, businesses are guilty until proven innocent. You are responsible for showing you followed all stipulations outlined in the regulations. Cases can be built on a lack of evidence of GDPR compliance, not just proof of something actually going wrong. You are also required to report breaches of data, such as theft, to the authorities immediately.
To understand exactly what your obligations are under the laws, you can view the official GDPR documents available online.
What kind of data does the GDPR cover?
The GDPR laws apply to any uniquely identifiable personal data you may wish to acquire or store. To qualify as "personal data" under GDPR, the information must be related to an identifiable natural person. In essence, if the information you have can be used to directly or indirectly identify an individual person by reference to their "physical, physiological, genetic, mental, economic, cultural or social identity," it counts as personal data and is covered under the GDPR.
These are some examples of personally identifiable information:
Religious or political affiliations
Genetic or biometric data
What is not covered by the GDPR?
The GDPR does not cover any information that is "not, or is not intended to be, part of a filing system," such as unstructured paper records, nor does it cover personal data relating to a deceased individual.
Anonymised data – that is, personal data that has been rendered to make the data subject unidentifiable – also does not fall under GDPR laws. For example, if you strip all the names, addresses, and contact information from your data set and simply have your customers' genders and ages, that data set would be considered anonymised. However, pseudonymised data (where personally identifiable information has been replaced but not eliminated) still counts as personal data under GDPR.
What is the difference between the GDPR, the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020?
How can the EU fine an international company for noncompliance?
Many companies that carry out business within the U.S. will undoubtedly ask why they have to comply with rules of a governing body that operates far outside of their jurisdiction. The GDPR only applies to members of the European Union, so if you aren't collecting data on EU citizens, you are not liable. However, if you offer your products or services to countries in the EU and, therefore, are actively engaged in taking data from the continent, you are responsible for GDPR compliance.
But how can the European Parliament slap you with fines from over 17000 kilometres away and expect you to pay it?
This depends on the situation of your company. If you are a New Zealand Business but have a physical location within the EU, this is where the courts will take their action. If you have no presence in the EU, it becomes harder to enforce, but not by much. The European courts have a strong relationship with the New Zealand Government, and much of the GDPR is bound to international law.
While there are no actual policies in place to deal with specific GDPR measures, it is widely accepted that, due to long-standing levels of official cooperation between New Zealand and EU data protection authorities, New Zealand will support any cases of GDPR infringement made against New Zealand businesses.
Therefore, if you are found to be in breach of the GDPR, penalties will be levied against you. If you fail to meet the demands of the European data protection authorities, the New Zealand courts will enforce the ruling.
The bottom line? You cannot avoid the GDPR's impact by sheer distance between your company and the governing body.
How can New Zealand businesses ensure compliance with GDPR?
Any noncompliance detected by supervisory authorities (who work to enforce European Parliament rulings) will be met with legal action. SAs will investigate any suspicion of noncompliance (tipoffs from workers or third parties, the occurrence of data breaches, complaints from clients or customers, etc.) and have the power to issue warnings, audit your business or take further action.
There are two basic steps a New Zealand based corporation needs to take with regard to the GDPR:
Identify whether or not you are using EU citizen data. If so, make any necessary changes to ensure compliance. The concepts are far more straightforward than the actions required, of course. Identification of what constitutes EU data can mean trawling through vast amounts of information. Compliance also requires much in the way of resource investment and change.
Full GDPR compliance may mean a total restructuring of company policy – especially for small businesses, because their personal data usage isn't widely scrutinised. Many businesses will be apprehensive about this kind of resource expenditure, but you can't underestimate its value when the alternative is a GDPR-based lawsuit.