The General Data Protection Regulation (GDPR), is coming into force on 25 May 2018 and will fundamentally change the way that businesses access, store and use personal data. While this is European Union legislation its reach will be felt internationally including here in New Zealand.
Privacy regulations in the European Union (EU) have long been considered some of the world’s toughest, and those laws are now becoming more stringent—even for organisations outside of the EU such as New Zealand.
The EU’s General Data Protection Regulation (GDPR), adopted in April 2016, requires all organisations that hold, transmit or process EU resident data to comply with the law - regardless of whether they actually operate in the EU. The law provides four different mechanisms that outline a framework for global enforcement.
Failure to comply can result in very significant financial penalties with the regulations providing for penalties of up to 4 percent of global revenue or 20 million euro, whichever is greater.
New Zealand companies typically consider personal data as such things as IRD numbers, credit card numbers or banking information. However, GDPR is essentially designed to protect any information that could identify a person such as an email address, telephone number, biometric, geolocation and browsing data for example.
Some people may also fall into the trap of just considering that this is a technology problem. While technology can help with GDPR compliance, a significant amount of the compliance risk stems from underlying business issues such as identifying that your organisation may be collecting or processing data relating to EU residents. As such, practical protection steps are likely to require clear identification processes, improved governance, stronger training programs, and improved breach response programs.
While the legislation has been in force in the EU since 2016, enforcement is scheduled to start on 25 May 2018.
So, what do New Zealand organisations need to consider when it comes to GDPR?
Here are five key considerations.
1. GDPR may apply even if you don’t have operations in the EU
GDPR casts a wide net. Companies, government agencies and non-profit entities that interact with EU residents are all subject to this new law. Many organisations underestimate the amount of EU data they hold and, therefore, may not understand the legislation’s potential effect. For example, banks, hospitals, hotels and other organisations that hold data from EU residents are subject to the GDPR. Recent advances in digital communication mean that consumer data can be collected from around the world and stored within seconds in a variety of ways, including websites, email systems, collaboration platforms, mobile platforms and business applications. It is also important to note that the definition of “private data” under the GDPR is very broad and extends, for example, to information such as geolocation data, browser cookies, biometric data or anything else that could be used to identify an individual. To determine if GDPR affects your organisation, you need to ask questions such as:
- Do you offer goods and services to EU residents?
- Do you rely on third parties that store or transmit data to or from the EU?
- Do you collect, transmit or process data pertaining to EU residents?
Keep in mind, it doesn’t matter if the services are free. It also doesn’t matter whether your company operates in the EU.
2. Timing for compliance is sooner than you think
While enforcement isn’t set to begin until May 2018, GDPR is already the law of the land in the 28 EU countries. Enforcement agencies have started visiting EU companies to assess compliance and they are expected to do the same in other countries, for example the United States beginning mid-year. That doesn’t leave much time for organisations to identify what EU data they may hold and how to protect it.
3. Customers can trigger enforcement action
Under GDPR, individuals can request that companies provide all data they maintain about them, and extensive, detailed information about how such data is protected. This includes how each customer’s consent is secured and tracked on an ongoing basis; the specific purpose for holding this data; and the nature and extent of protections surrounding that data, including any third parties that might be involved. Customers can also request that all such data be provided to them in an electronic format suitable for porting to a competitor, or that all their data be completely erased from all systems the company uses, including, again, those from any third parties. Failure to provide timely and complete responses to customer requests opens companies to formal complaints by customers to the relevant GDPR supervisory authorities. This, in turn, can potentially trigger the significant penalties mentioned above.
4. Start mapping and analysing your customer data now
New Zealand organisations should begin identifying or “mapping” EU customer data. It is not uncommon for EU data to reside in different departments, divisions or subsidiaries. This data will need to be protected and even segregated from other customer data, much in same way that some organisations are required to already protect and segregate credit card data through network segmentation standards under the Payment Card Industry Data Security Standard. Staff role modifications may be necessary. For example, larger organisations will need to appoint a data privacy officer under GDPR.
5. Leverage GDPR compliance as a business differentiator
GDPR represents a broader trend of living in an increasingly connected global environment, indicating organisations should prepare for privacy compliance on a global level. By looking at this as an opportunity rather than just another compliance threat, organisations may be able to greatly benefit from assessing and aligning their privacy policies and procedures with this emerging global movement. By doing so, they will not only be able to comply with the requirements of GDPR but will also be prepared to address additional new privacy laws that may arise from other regions and countries. Instead of looking at privacy compliance as another cost of doing business, organisations should consider it a leading practice that can help them differentiate themselves from competitors.
It is easy to look at foreign laws and regulations such as this and think “that doesn’t apply to me”, but this General Data Protection Regulation is seeking to address an issue which is very much a part of being a globally connected world as we increasingly are. As such the reach appears to be truly global.
We commonly now use technology on our phones and computers almost without a second thought as to where the information may reside. We capture increasing amounts of data in our everyday communications, transactions, and use of technology. We have also been progressively sensitised to be less risk averse due to the incredible helpful utility of some of this everyday technology. But the more data that is collected, the more potentially at risk it becomes to significant data breaches.
As with Anti-Money Laundering and Countering Financing of Terrorism legislation progressively spreading throughout the world and changing some of the ways we do things (as anyone who has opened a new bank account in recent times can attest to), we also expect that we can expect to see more legislation and regulation like the GDPR enacted and enforced in order to try and keep data safe.