GDPR in New Zealand: Are you affected and if so, how?
By Nick Butler
26 June 2018
The GDPR — the EU’s new data protection rules — will apply to some New Zealand organisations, especially those doing internet marketing. Find out if yours is one of these, what this will mean for you, and learn more about the impact of the GDPR in New Zealand.
The GDPR came into full effect in May this year and is designed to protect the personal data of all EU citizens.
As a result, it may apply to you even if you’re not based in the EU. Imagine for example that you have a New Zealand travel website that specifically targets people from the EU (maybe you offer Italian language tour guides). If you use your travellers’ personal data (perhaps in your email marketing) then the GDPR applies to you.
The GDPR doesn’t just apply to businesses either, it also covers nonprofits and government.
This post looks at what GDPR means by ‘personal data’, introduces the principles of the GDPR, shows how you can comply and why you might want to, looks at where the GDPR and New Zealand privacy law differ and why they might not do so for long.
Disclaimer: Treat this post as background information not legal advice. Everything I know about the law I learnt from watching Boston Legal.
What is personal data?
Here’s how the GDPR defines it:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Hmmmm, that might need some clarification.
If data can be used to identify someone, then it’s personal data.
This can include addresses, email addresses, online identifiers such as IP addresses or cookies, photos, and any information that relates to this identifiable person.
The GDPR treats information on health, race, sexual orientation, religion and political beliefs as more sensitive than other information.
Do I need to comply with GDPR in New Zealand?
To find out if yours is one of the organisations affected by the GDPR in New Zealand, the first question is: Do you process personal data?
If you do, then you need to comply if:
You have a branch in the EU.
You offer goods or services, paid or free, to people from the EU (for example, through a website or app) and you explicitly target the people from the EU (for example, by having prices in Euros).
You monitor the internet behaviour of people in the EU in order to profile them or predict their personal preferences (for example, by using your data for behavioural-based advertising).
Note: the EU includes the UK. They’re still in the EU until Brexit and plan to bring GDPR into UK law once they leave.
Processing personal data
When the GDPR talks about ‘processing’ personal data, the scope of the term is pretty broad. So collecting the information counts as processing, as does storing, using and deleting it. Also, it doesn’t matter if data is digital or in a physical filing system.
Data controllers and data processors
The GDPR separates out two roles, ‘controllers’ and ‘processors’.
A controller decides the purposes and means of processing personal data. A processor does the work on behalf of a controller.
As a controller you need to make sure your contracts with processors comply with the GDPR. As a processor you have specific responsibilities, such as keeping records of your data processing. Sometimes you’ll be both controller and processor.
The principles of GDPR
The GDPR follows six principles:
- Lawfulness, fairness, and transparency: Collect and use the data lawfully, fairly, honestly and openly.
- Purpose limitation: Record your specific purposes for collecting the data, and only use it for these purposes.
- Data minimisation: Only collect data relevant to these purposes.
- Accuracy of data: Correct, delete or update any inaccurate or out-of-date data.
- Retention of data: Only keep the data as long as you need it.
- Integrity and confidentiality: Keep the data secure.
Lawful basis for collecting data under GDPR
The GDPR has six specific criteria for deciding if you have a lawful basis for processing personal data. You need to decide ahead of time which one of these is your basis:
1. You have clear consent.
Data processing is necessary for your:
3. legal obligations
4. ability to protect people’s vital interests, i.e. their life
5. public tasks, or official functions
6. legitimate interests, or the interests of a third party.
If you can reasonably achieve the same purpose without the processing, it’s not necessary.
You can get more detail from the UK Information Commissioner’s Office’s in-depth guidance.
Compliance with GDPR in New Zealand
If yours is one of the New Zealand organisations covered by the GDPR, you may want to start planning what you need to do for compliance.
The European Commission have put together a good single-page summary. What it pretty much says is:
Do data protection by design. Build data protection safeguards into your products and services from the beginning. The summary breaks these safeguards into the following categories:
Use plain language.
Tell people who you are when you request the data. Say why you are processing their data, how long you’ll store it and who receives it.
Get their clear consent to process the data.
If you collect data from children for social media, check the age limit for parental consent.
Access and portability
Let people access their data and give it to another company.
Inform people of data breaches if there is a serious risk to them.
Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
If you use profiling to process applications for legally-binding agreements like loans you must:
- inform your customers
- make sure a person, not a machine, checks the process if the application is refused
- let the applicant contest the decision.
Give people the right to opt out of direct marketing that uses their data.
Safeguarding sensitive data
Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
Planning compliance with GDPR in New Zealand
Here are some steps you could take for a GDPR compliance plan:
- Assess whether the GDPR applies to you.
- If not, decide whether you want to prepare for possible changes in New Zealand data protection by reviewing your current practices anyway.
- Decide who is accountable.
- Map what personal data you collect, how you collect it and what you do with it.
- Check if you’re collecting sensitive data that requires special treatment.
- Plan how you’ll comply, now and over time.
- Learn from what other people are doing (be a fast follower rather than on the bleeding edge).
- Start the practical business of making any necessary changes to your website, email marketing software, analytics tools and suchlike, along with your personal data processes and records.
Big data processors are busily updating their tools and putting together resources. These can give you a good steer for the practical steps you’ll need to take. Here are a few of them:
Influence of GDPR on New Zealand privacy law
Many commentators suggest that thanks to the GDPR, New Zealand will have to enhance our privacy protection. That’s partly because, for data to be easily transferred from the EU to New Zealand, we’ll want to maintain our “adequacy status”. This means that the EU considers that our protection is up to their standards.
There’s a Privacy Bill in front of Parliament currently and this is likely to take some steps along the way. And it’s possible there’ll be further changes as people see how things shake out with GDPR in New Zealand.
Quick comparison between GDPR and New Zealand privacy law
The GDPR and the New Zealand Privacy Act are generally aligned, but here are some differences.
||New Zealand Privacy Act
|People have the right to:
- be told about the use of their data in plain language
- access their data
- get errors corrected
- ask for their data be deleted (sometimes)
- restrict processing of their data (sometimes)
- get their data transferred to another business
- object to their data being processed
- object to automated decision-making.
- access their data
- get errors corrected
- ask for their data be deleted (sometimes).
||Consent must be:
- a positive opt-in, not pre-ticked boxes
- separate to other terms and conditions, including privacy policies
- clear and specific
- easy to withdraw
- not a condition for receiving a service.
|You need reasonable grounds to believe you have consent.
||You must report any data breach that risks affecting the rights and freedoms of individuals.
If there’s a high risk you also have to tell the people in question.
|Reporting data breaches is encouraged but not mandatory (though the new Privacy Bill is likely to require breaches get reported to the NZ Privacy Commissioner).
||Your contracts with data processors must have clauses covering:
- the scope of processing
- individuals’ rights
- storage and erasure
|There’s no specific or separate data processor role, so there are no requirements for your contracts with them.
Why comply with GDPR in New Zealand?
If the GDPR applies to you, and you don’t comply, you could be hit with some fairly steep fines. These can be up to €20 million or 4% of global annual turnover, whichever is larger. But don’t panic, you’re not going to be slapped with a huge fine out of the blue, first up you’d get a warning.
Even if the GDPR doesn’t apply to you now, you might want to consider looking at how you’d comply. That’s because:
- other jurisdictions are likely to follow the GDPR, New Zealand included
- it’s hard to argue with the principles that underpin the rules
- it brings a risk-based approach, with the effort needed for compliance tied to how big the risks are in relation to the personal data.
Even if you’re not aiming for compliance, it’s worth looking at how you handle your data. There’s definitely something to be said for treating other people’s personal information the way you’d want them to treat yours.
The official General Data Protection Regulation text
New Zealand Privacy Commissioner’s GDPR resources