GDPR. Why the new European data rules affect you.


You may have noticed your inbox overflowing recently with new terms and conditions from a multitude of brands that you subscribe to. This is because of the GDPR, which is not the Gross Domestic Product of Russia or Grant Dalton’s PR firm - it’s all about data protection, and if you own a business that handles personal information, chances are you need to know what to do.

The General Data Protection Rules (GDPR) relates to collecting, processing and use of personal data, and it will impact any business handling personal data from people residing in the European Union.

It will:

  • Introduce new legal rights so individuals can better protect their personal data;
  • Extend the responsibilities for organisations that use or handle personal data and;
  • Enhance the punishments for those that breach the regulation.

It will be enforced as of 25 May 2018.

But I’m in NZ. Will I need to comply?

GDRP will impact all international business. Even those without a physical presence in the EU will have to comply with these new rules. We recommend updating your privacy policy if you:

  • Sell goods or services to anyone who lives in the EU;
  • Collect any personal data anyone who lives in the EU; or
  • Monitor the behaviour of anyone who lives in the EU. (This includes use of Google Analytics.)

Note that GDPR requires controls that are not part of New Zealand (NZ) privacy act, meaning that complying with NZ privacy law doesn’t ensure that you are complying with GDPR.

What is personal data, according to GDPR?

According to GDPR, personal data is all type of information related to a person who can be identified directly or indirectly. It can include:

  • Personal details such as the person’s name, address, email;
  • Financial details such as how much the person earns, credit ratings;
  • Medical details about a person’s mental or physical health;
  • Details about a person’s ethnicity, political opinions, religious beliefs, or sexual activity;
  • Images or voice recordings of a person;
  • Employment details;
  • The IP address of a person that visits a website;
  • Criminal records or alleged offence;
  • Biometric data; or
  • Location data.

* source New Zealand Law Society

How are you collecting personal data?

You may be collecting data from different sources, such as voluntarily, for free services (i.e. social networks and search engines) or collected automatically through cookies, web analytics and sensors.
After 25th May, consent must be “freely given, specific and unambiguous, and needs to cover all intended processing activities”.
Note that pre-ticked boxes, inactivity or silence are not a form of valid consent.

Businesses will need to be clear about why personal data is being processed, and need to have legal grounds to do it.

According to GDPR legal grounds for personal processing data are:

  • To perform a contract;
  • The individual concerned has given consent;
  • The data controller has a legitimate interest;
  • The statutory obligation to collect and retain information (e.g., employers);
  • To perform the lawful function of a public authority; or
  • For the protection of vital interests of that person.

* source New Zealand Law Society

Note that if the personal data collected is to perform an online sale or to answer an online query, it cannot be used for marketing reasons, unless with specific and clear authorisation from the person.

Final Tips

  • Seek legal advice if your business directly or/and indirectly may target European residents.
  • Make sure that when you collect data, you communicate clearly how you will store and use the data.
  • You do not comply with GDPR just because you have a privacy policy on your website. Depending on your specific case, GDPR requires other controls. Even if you don’t target European residents directly, but you provide services through your website worldwide, you will need to comply with GDRP rules. Even if you transfer the responsibility to a marketing agency that collects and analyses website data, you will remain as the data controller. Therefore you will need to comply with GDPR rules.