GDPR and the impact to New Zealand Businesses

GDPR does not apply to me I am a New Zealand business. This is where you could be wrong. If you offer goods or services to citizens of the EU or if you hold data of EU citizens then GDPR applies to you. So are you ready for the introduction of GDPR on the 25th May?

What is GDPR, in a nutshell it is ensuring that the data of EU citizens is protected, data breaches are communicated and personal data is accessible by the person it belongs to.

In the context of GDPR, personal data relates to a natural person or data subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social websites, medical data or a computer IP address. If you hold data of data subjects under the age of 16, parental consent will be required to process the personal data for online services.

As an organisation you may be deemed as either a data processor or a data controller. A controller is the entity that determines the purpose, conditions and means for processing personal data, where the processor is an entity which processes personal data on behalf of the contoller. A simple example would be that you have a CRM system (data controller) that manages the personal data and you use a 3rd party marketing platform to send out emails (data processor).

If the above does fit you and you are not ready then the costs for non compliance and penalties are quite steep up to 4% of annual global turnover or $20 million Euros.

What are the key points that I need to be aware of?

  1. Breach Notifications – you must notify customers within 72 hours of a breach of personal data
  2. Right to Access – EU citizens can request whether or not you are using their data, for what purpose and can request a full copy of the personal data on file, free of charge to be supplied electronically.
  3. Right to be Forgotten – Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
  4. Data Portability – provides the right for a data subject to receive the personal data concerning them, which they had previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
  5. Privacy by Design – this is good practice for any implementation where personal data is being captured, but is now becoming a legal requirement. Basically it means that you must plan by design the inclusion of data protection systems rather than adding at a later date. In addition, you must hold and process only the data that is absolutely necessary for the completion of the process, as well as limiting the access to personal data to those needing to act out the processing.
  6. Data Protection Officers – you may need to appoint a Data protection officer if you meet the following prerequisites – you are a public authority, you are an organisation that engages in large scale systematic monitoring, or an organisation that engage in large scale processing of sensitive personal data.

So what is the impact and how do I prepare?

If you look at the key changes above their are a couple that catch my eye that says ‘umm how would I do that?” these would be the right to access and the right to be forgotten.

Both of these have a major impact on how you have currently designed and built your system. The right to be forgotten may have a knock on impact to related records and systems that requires a person record to exist for the record to be valid. Plus if you got a request to share the personal details that you have on a person, how would you process that? Can you print the details, can you isolate the specific fields required for the request?

This is where Privacy by Design is a key factor to consider when developing new systems, or reviewing existing systems, as you will need to now think of how will I do that if I was requested to do so. You need to think about downstream systems, data warehouses, integration pints, ERP systems, online channels, anywhere where personal data is stored.

A question I would ask of an organisation, is that are you currently capturing the citizenship of a person you are dealing with, can you identify the potentially impacted records in your system? A scenario that would not be to uncommon would be that you are selling goods in New Zealand to people residing or travelling in New Zealand who are EU citizens, if that person moves back to the EU then they could request their personal data or request to be forgotten, so the impact of GDPR is far reaching, especially with New Zealand being a tourist rich country.

Food for thought I am sure, make sure you are ready, and can comply, as I am sure there will be people who will test organisations once the 25th May hits us.

If you need assistance in getting ready for GDPR, get in contact.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: