What Is GDPR, and Why Does It Matter for Your Business?
Failure to comply with the General Data Protection Regulation can have serious financial consequences.
In today's world of data breaches and overly personalised advertisements, many consumers are understandably concerned about the way companies collect, store and use their personal data.
Lawmakers in many parts of the world have heard and responded to these concerns in recent years by passing regulations for how personal data about individual citizens can be processed, stored and used. The most notable of these laws are known collectively as the General Data Protection Regulation, which went into effect in 2018. The European Parliament and the Council of the European Union established the GDPR to ensure greater protection of individual rights of EU members. Noncompliant companies face fines of up to €20 million or 4% of their annual revenue, whichever is larger.
Small businesses in New Zealand aren't exempt from the GDPR just because it's EU-based. These laws impact all corporations handling the data of European citizens, regardless of where they're based. In other words, companies in New Zealand that possess data belonging to a citizen of the European Union must ensure they comply with the GDPR. Failure to comply could result in fines on the same level as any brand operating within the EU.
What is GDPR?
While the ways companies harvest, extract and utilise data have evolved quickly in recent years, the laws protecting a person's information was lagging behind the growth at the time of the GDPR's introduction. The stricter regulations enacted a number of major changes as to how personal information is handled and outlined in comprehensive terms that apply to all facets of personal data use.
GDPR is based on the idea that EU citizens have a right to know what data about them is being held, how it is being used and what will happen to it in the future. They also have the right for their personal data to be deleted if they request it.
While the GDPR itself is relatively new, the principles behind it aren't. They're essentially updated versions of the principles set forth in the Data Protection Act of 1998. These are the basic principles of the GDPR:
Lawfulness, fairness and transparency: All personal data that companies collect must be processed lawfully, fairly and in a transparent manner. This means you must get proper consent from the customer and explicitly tell them how you're going to use their information.
Purpose limitation: Any data you collect should not be further processed beyond the specific, legitimate purposes you explained to the individual providing their data. Exceptions include archiving data in the public interest, for scientific or historical research purposes, or for statistical purposes.
Data minimisation: Your business should only collect the minimum amount of relevant data you need for your purposes.
Accuracy: All personal data your organisation stores must be current, and you must make reasonable efforts to keep your records up to date. You can't stockpile outdated records for potential use in the future.
Storage limitation: Your company should not keep personally identifiable data for longer than is necessary.
Integrity and confidentiality (security): Your company must establish advanced protection systems and data encryption processes. You also need to assign a designated employee to manage and maintain security.
Accountability: When it comes to breaches of GDPR, businesses are guilty until proven innocent. You are responsible for showing you followed all stipulations outlined in the regulations. Cases can be built on a lack of evidence of GDPR compliance, not just proof of something actually going wrong. You are also required to report breaches of data, such as theft, to the authorities immediately.
To understand exactly what your obligations are under the laws, you can view the official GDPR documents available online.
What kind of data does the GDPR cover?
The GDPR laws apply to any uniquely identifiable personal data you may wish to acquire or store. To qualify as "personal data" under GDPR, the information must be related to an identifiable natural person. In essence, if the information you have can be used to directly or indirectly identify an individual person by reference to their "physical, physiological, genetic, mental, economic, cultural or social identity," it counts as personal data and is covered under the GDPR.
These are some examples of personally identifiable information:
Religious or political affiliations
Genetic or biometric data
What is not covered by the GDPR?
The GDPR does not cover any information that is "not, or is not intended to be, part of a filing system," such as unstructured paper records, nor does it cover personal data relating to a deceased individual.
Anonymised data – that is, personal data that has been rendered to make the data subject unidentifiable – also does not fall under GDPR laws. For example, if you strip all the names, addresses, and contact information from your data set and simply have your customers' genders and ages, that data set would be considered anonymised. However, pseudonymised data (where personally identifiable information has been replaced but not eliminated) still counts as personal data under GDPR.
What is the difference between the GDPR, the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020?
How can the EU fine an international company for noncompliance?
Many companies that carry out business within the U.S. will undoubtedly ask why they have to comply with rules of a governing body that operates far outside of their jurisdiction. The GDPR only applies to members of the European Union, so if you aren't c