You may have noticed your inbox overflowing recently with new terms and conditions from a multitude of brands that you subscribe to. This is because of the GDPR, which is not the Gross Domestic Product of Russia or Grant Dalton’s PR firm - it’s all about data protection and if you own a business that handles personal information, chances are you need to know what to do.
The General Data Protection Rules (GDPR) relates to collecting, processing and use of personal data, and it will impact any business handling personal data from people residing in the European Union.
- Introduce new legal rights so individuals can better protect their personal data;
- Extend the responsibilities for organisations that use or handle personal data and;
- Enhance the punishments for those that breach the regulation.
It will be enforced as of 25 May 2018.
But I’m in NZ. Will I need to comply?
- Sell goods or services to anyone who lives in the EU;
- Collect any personal data anyone who lives in the EU; or
- Monitor the behaviour anyone who lives in the EU. (This includes use of Google Analytics.)
Note that GDPR require controls that are not part of New Zealand (NZ) privacy act, meaning that complying with NZ privacy law doesn’t ensure that you are complying with GDPR.
What is personal data according to GDPR?
According to GDPR, personal data is all type of information related to a person, who can be identified directly or indirectly. It can include:
- Personal details such as the person’s name, address, email;
- Financial details such as how much the person earns, credit ratings;
- Medical details about a person’s mental or physical health;
- Details about a person’s ethnicity, political opinions, religious beliefs, or sexual activity;
- Images or voice recordings of a person;
- Employment details;
- IP address of a person that visits a website;
- Criminal records or alleged offence;
- Biometric data; or
- Location data.
* source New Zealand Law Society
How are you collecting personal data?
You may be collecting data from different sources, such as voluntarily, for free services (i.e. social networks and search engines) or collected automatically through cookies, web analytics and sensors.
After 25th May, consent must be “freely-given, specific and unambiguous, and needs to cover all intended processing activities”.
Note that pre-ticked boxes, inactivity or silence are not a form of valid consent.
Businesses will need to be clear about why personal data is being processed, and need to have legal grounds to do it.
According to GDPR legal grounds for processing personal data are:
- To perform a contract;
- The individual concerned has given consent;
- The data controller has a legitimate interest;
- Statutory obligation to collect and retain information (eg, employers);
- To perform the lawful function of a public authority; or
- For the protection of vital interests of that person.
* source New Zealand Law Society
Note that if the personal data collected is to perform an online sale or to answer an online query it cannot be used for marketing reasons, unless with specific and clear authorisation from the person.
- Seek legal advice if your business directly or/and indirectly may target European residents.
- Make sure that when you collect data you communicate clearly how you will store and use the data.