This guide is to give you a brief introduction to the GDPR and to provide you with some links that go into further details about it.
This blog is not provided as legal advice, and we would strongly recommend you consult with a lawyer about your need to comply with this regulation.
What is the GDPR?
The GDPR or General Data Protection Regulation is a regulation developed by the EU regarding the data privacy and rights EU citizens have around the collection, storage and use of their personal information.
What is the purpose of the GDPR?
Its primary purpose is to protect the data privacy of EU citizens with some very stringent privacy requirements.
Who does it apply to?
If the regulation is applied as broadly as it looks like it will be, then almost any business that has EU citizens data stored in its systems will be subject to the regulation. That can simply mean basic contact information stored in an email marketing system or e-commerce system that can identify a person who resides in the EU.
If you are marketing to and selling a service or product into EU countries you should be very proactive about working on your GDPR compliance (you should probably consult with a lawyer fairly soon). But even if you are not specifically marketing or selling to EU citizens the regulation still has ramifications for almost any business that’s online, as any personal data that is collected about EU citizens by any business anywhere in the world needs to meet the standards set out within the regulation.
The regulation also applies if you are monitoring the behaviour of an EU citizen online (such as using tracking scripts on your website).
What are the consequences of not complying with the regulation?
Companies found in breach of the regulation can be fined up to 20 million Euro or 4% of their worldwide turnover. There is a lower level of fine for lesser breaches. To learn more about the fines see https://www.gdpreu.org/compliance/fines-and-penalties/.
When does it come into effect?
This is a scary part – it becomes enforceable on the 25th of May 2018.
Why haven’t I heard about it?
It seems to have come in under the radar of many businesses outside of the EU – though some New Zealand government sites have been publishing information as have some law firms and IT companies.
What can I do to make my business GDPR compliant?
The most obvious place to start is by assessing if your business markets or intends to market to EU citizens or tracks the behaviour of EU citizens online. Click on the links we’ve provided to get further information.
What about my website? What can I do?
From our reading online, our initial suggestions would be:
- Have a robust privacy statement on your website that complies with the GDPR – see https://www.gdpreu.org/privacy-policy/ as an example. At the same time, you should check that you are meeting your obligations under the New Zealand Privacy Act – https://www.marketing.org.nz/Article?Action=View&Article_id=16
- Ensure you have easy access to the privacy statement from your online forms, signup forms, or e-commerce system.
- Don’t pre-tick subscription forms – the visitor must actively tick a box to be added to your mailing lists etc (pre-ticked forms won’t constitute consent to process personal data)
Links for further information:
GDPR compliance in four steps – NZ Law Society
https://www.gdpreu.org – MailControl
The Principles of the EU General Data Protection Regulation – (PDF) New Zealand Trade & Enterprise
Bits+Bytes: privacy laws that will change the internet forever – Radio New Zealand
http://ec.europa.eu/justice/smedataprotect/index_en.htm – the European Commission