Preparing for GDPR compliance - what does it mean for NZ?
Regardless of the type of business you are in, you are most likely noticing a recent influx of emails from companies like Google and Facebook letting you know about updates to their Privacy settings.
This is because the EU’s new General Data Protection Regulation (GDPR) comes into effect on May 25th 2018.
Under GDPR, any business or organisation that communicates with, does business with or most importantly, gathers data from, EU citizens – no matter where in the world they are currently residing will be impacted.
New Zealand businesses who have a significant amount of web traffic and customers from the EU are the first who need to really focus on compliance – if you haven’t done this already.
You may need to comply with the regulations set out in this piece of legislation if your business gathers and stores personal data from customers who:
- visit your website
- buy products or services from you online
- subscribe to mailing lists or downloads
- use your services and provide their data as part of that transaction.
The penalties for non compliance are severe – up to 4% of a company’s annual turnover, or 20 million euros, whichever is higher.
Note: This penalty applies to businesses located anywhere in the world where they have EU citizens visiting their websites, buying from them or doing business, even if those citizens are not currently located in the EU itself.
What is the focus?
GDPR protects any information that can be used to identify an individual. That includes data tied to a person’s name, address or ID numbers. But it can also be a lot broader than that, including web data such as location, IP address, cookie data and RFID tags.
EU citizens (anywhere in the world) will have the right to request (and be given) a record of any identifiable data your organisation holds relating to them, and secondly to request (and have enacted) the erasure of that data from all systems holding it, if they wish.
If you need to hold that data for business purposes however, like keeping a record of sales through your site for seven years as required for tax purposes, this data doesn’t need to be erased.
The GDPR also allows for “data portability” so that customers should be able to take their data to another provider if they wish.
Action Steps for your Business
1) Allocate the responsibility for researching the GDPR requirements to members of your team, and then carry out a review or audit of all the ways you currently gather and store data about customers, patients, guests or people who request free information from you through marketing automation platforms if you are currently using marketing automation.
2) Gather a record of the various privacy policies from the platforms and tools that you use so they are easily accessed if necessary.
3) Contact your lawyer for their advice about your level of risk and their recommendations in terms of the compliance you should be putting in place, especially if you know you have customers in EU countries.
4) Work out how to respond to a request from a customer to review all the data you currently hold about them, how you would go about erasing it if they wished you to do so, and how you might provide them with data to take to a different provider if they wished.
5) At the bare minimum, start by adding a notice to your site telling visitors they are being tracked and asking permission.
If you want help or advice about adding a cookies message and supporting technology to your website, get in touch and we can talk through the options.
For more information about the GDPR, the following links may be helpful: