Our Blog

where we write about the things we love

14

May

GDPR and its impact on New Zealand Businesses

“GDPR does not apply to me as I am a New Zealand-based business” is a fallacy. If you offer goods or services to citizens of the EU or if you hold data of EU citizens then the General Data Protection Regulation (GDPR) applies to you. Are you ready for the introduction of GDPR on the 25th May 2018?

GDPR impact on New Zealand businesses

What is GDPR?

The GDPR is a regulation in EU law that ensures data of EU citizens is protected, data breaches are communicated and personal data is accessible by the person it belongs to.

In the context of GDPR, personal data relates to a natural person or data subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social websites, medical data or a computer IP address.

If you hold data of data subjects under the age of 16, parental consent will be required to process the personal data for online services.

As an organisation you may be deemed as either a data processor or a data controller. A data controller is the entity that determines the purpose, conditions and means for processing personal data, where the data processor is the entity that processes personal data on behalf of the data contoller.

An example would be that your organisation (data controller) utilises a CRM system (data processor) to manage the personal data of your contacts and leads; you can also be using a 3rd party marketing platform to send out emails (data processor) to these contacts.

If the above does fit you and you are not ready then the costs and penalties for non-compliance are quite steep - up to 4% of annual global turnover or $20 million Euros.

What are the key points that I need to be aware of?

  • Breach Notifications: you must notify customers within 72 hours of a breach of personal data.
  • Right to Access: EU citizens can request whether or not you are using their data, for what purpose and can request a full copy of the personal data on file, free of charge to be supplied electronically.
  • Right to be Forgotten: also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
  • Data Portability: provides the right for a data subject to receive the personal data concerning them, which they had previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.
  • Privacy by Design: this is good practice for any implementation where personal data is being captured, but is now becoming a legal requirement. It means that you must plan by design the inclusion of data protection systems rather than adding at a later date. In addition, you must hold and process only the data that is necessary for the completion of the process, as well as limiting the access to personal data to those needing to act out the processing.
  • Data Protection Officers: you may need to appoint a Data Protection Officer if you meet some prerequisites - you are a public authority, you are an organisation that engages in large scale systematic monitoring, or an organisation that engage in large scale processing of sensitive personal data.

What is the GDPR impact and how do I prepare?

There are a couple of key changes that catch my eye and make me think “Hmm, how would I do that?", mainly the Right to Access and the Right to be Forgotten.

Both have a major impact on how you have currently designed and built your system. The Right to be Forgotten may impact records and systems that requires a person record to exist for the record to be valid. Plus, if you receive a request to share the personal details that you have on a person, how would you process that? Can you export the details, can you isolate the specific fields required for the request?

This is where Privacy by Design is a key factor to consider when developing new systems, or reviewing existing systems, as you will need to now think “how will I do that if I was requested to do so?” You need to think about downstream systems, data warehouses, integration points, ERP systems, online channels, and anywhere else where personal data is stored.

A question I would ask of an organisation, is “Are you currently capturing the citizenship of a person you are dealing with?”. Another question would be “Can you identify the potentially impacted records in your system?”

A scenario that would not be to uncommon would be that you are selling goods in New Zealand to people residing or travelling in New Zealand who are EU citizens. If that person moves back to the EU then they could request their personal data or request to be forgotten - the impact of GDPR is far reaching, especially with New Zealand being a tourist rich country.

Food for thought I am sure. Make sure you are ready and can comply, as I am sure there will be people who will test organisations once the 25th May hits us.

Posted by: Steven Foster, Client Director | 14 May 2018

Tags: Data management, Security, Privacy, GDPR


Top Rated Posts

Blog archive

Stay up to date with all insights from the Intergen blog