By Nick Butler
Tags: Development , Other
The GDPR — the EU’s new data protection rules — will apply to some New Zealand organisations, especially those doing internet marketing. Find out if yours is one of these, what this will mean for you, and learn more about the impact of the GDPR in New Zealand.
Wonder why you keep getting privacy policy updates from your internet services? It’s because of the European Union’s new General Data Protection Regulation.
The GDPR came into full effect in May this year and is designed to protect the personal data of all EU citizens.
As a result, it may apply to you even if you’re not based in the EU. Imagine for example that you have a New Zealand travel website that specifically targets people from the EU (maybe you offer Italian language tour guides). If you use your travellers’ personal data (perhaps in your email marketing) then the GDPR applies to you.
The GDPR doesn’t just apply to businesses either, it also covers nonprofits and government.
This post looks at what GDPR means by ‘personal data’, introduces the principles of the GDPR, shows how you can comply and why you might want to, looks at where the GDPR and New Zealand privacy law differ and why they might not do so for long.
Disclaimer: Treat this post as background information not legal advice. Everything I know about the law I learnt from watching Boston Legal.
Here’s how the GDPR defines it:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Hmmmm, that might need some clarification.
If you can use data to identify someone, then it’s personal data.
This can include addresses, email addresses, online identifiers such as IP addresses or cookies, photos, and any information that relates to this identifiable person.
The GDPR treats information on health, race, sexual orientation, religion and political beliefs as more sensitive than other information.
To find out if yours is one of the organisations affected by the GDPR in New Zealand, the first question is: Do you process personal data?
If you do, then you need to comply if:
You have a branch in the EU.
or
You offer goods or services, paid or free, to people from the EU (for example, through a website or app) and you explicitly target the people from the EU (for example, by having prices in Euros).
or
You monitor the internet behaviour of people in the EU in order to profile them or predict their personal preferences (for example, by using your data for behavioural-based advertising).
Note: the EU includes the UK. They’re still in the EU until Brexit and plan to bring GDPR into UK law once they leave.
When the GDPR talks about ‘processing’ personal data, the scope of the term is pretty broad. So collecting the information counts as processing, as does storing, using and deleting it. Also, it doesn’t matter if data is digital or in a physical filing system.
The GDPR separates out two roles, ‘controllers’ and ‘processors’.
A controller decides the purposes and means of processing personal data. A processor does the work on behalf of a controller.
As a controller you need to make sure your contracts with processors comply with the GDPR. As a processor you have specific responsibilities, such as keeping records of your data processing. Sometimes you’ll be both controller and processor.
The GDPR follows six principles:
The GDPR has six specific criteria for deciding if you have a lawful basis for processing personal data. You need to decide ahead of time which one of these is your basis:
1. You have clear consent.
Data processing is necessary for your:
2. contracts
3. legal obligations
4. ability to protect people’s vital interests, i.e. their life
5. public tasks, or official functions
6. legitimate interests, or the interests of a third party.
If you can reasonably achieve the same purpose without the processing, it’s not necessary.
You can get more detail from the UK Information Commissioner’s Office’s in-depth guidance.
If yours is one of the New Zealand organisations covered by the GDPR, you may want to start planning what you need to do for compliance.
The European Commission have put together a good single-page summary. What it pretty much says is:
Do data protection by design. Build data protection safeguards into your products and services from the beginning. The summary breaks these safeguards into the following categories:
Use plain language.
Tell people who you are when you request the data. Say why you are processing their data, how long you’ll store it and who receives it.
Get their clear consent to process the data.
If you collect data from children for social media, check the age limit for parental consent.
Let people access their data and give it to another company.
Inform people of data breaches if there is a serious risk to them.
Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
If you use profiling to process applications for legally-binding agreements like loans you must:
Give people the right to opt out of direct marketing that uses their data.
Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
Here are some steps you could take for a GDPR compliance plan:
Big data processors are busily updating their tools and putting together resources. These can give you a good steer for the practical steps you’ll need to take. Here are a few of them:
Many commentators suggest that thanks to the GDPR, New Zealand will have to enhance our privacy protection. That’s partly because, for data to be easily transferred from the EU to New Zealand, we’ll want to maintain our “adequacy status”. This means that the EU considers that our protection is up to their standards.
There’s a Privacy Bill in front of Parliament currently and this is likely to take some steps along the way. And it’s possible there’ll be further changes as people see how things shake out with GDPR in New Zealand.
The GDPR and the New Zealand Privacy Act are generally aligned, but here are some differences.
Reporting data breaches is encouraged but not mandatory (though the new Privacy Bill is likely to require breaches get reported to the NZ Privacy Commissioner).
| GDPR | New Zealand Privacy Act | |
|---|---|---|
| People have the right to: |
|
|
| Consent | Consent must be:
|
You need reasonable grounds to believe you have consent.
You can get consent through agreement with a privacy policy. |
| Data breaches | You must report any data breach that risks affecting the rights and freedoms of individuals.
If there’s a high risk you also have to tell the people in question. |
|
| Data processors | Your contracts with data processors must have clauses covering:
|
There’s no specific or separate data processor role, so there are no requirements for your contracts with them. |
If the GDPR applies to you, and you don’t comply, you could be hit with some fairly steep fines. These can be up to €20 million or 4% of global annual turnover, whichever is larger. But don’t panic, you’re not going to be slapped with a huge fine out of the blue, first up you’d get a warning.
Even if the GDPR doesn’t apply to you now, you might want to consider looking at how you’d comply. That’s because:
Even if you’re not aiming for compliance, it’s worth looking at how you handle your data. There’s definitely something to be said for treating other people’s personal information the way you’d want them to treat yours.
The official General Data Protection Regulation text
