The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and represents a big change to current EU data protection laws.

The GDPR expands the territorial reach of EU data protection laws and New Zealand businesses that process personal data of individuals in the EU will have to comply with the new laws.  For the purposes of the GDPR, processing means any operation which is performed on personal data such as collection, recording, organisation, storage, use, disclosure or erasure.

The GDPR will apply to your business if:

• you have a business located in the EU and process personal data of individuals in the EU (regardless of where this personal data is processed), or
• you do not have a business located in the EU, but offer goods or services to individuals located in the EU (even if those individuals are not paying customers) or monitor the behaviour of individuals located in the EU (including through the use of cookies).

The GDPR applies to the processing of personal data by both data controllers (organisations who exercise overall control of personal data and determine why and how that personal data is processed – if your business collects personal data about EU individuals for its business use, you’re likely to be a data controller) and data processors (organisations which process personal data on behalf of a data controller e.g. an outsourced cloud service provider such as Azure or Amazon Web Services).

The GDPR comes with large fines for non-compliance.  Businesses can be fined up to 20 million euros, or 4% of global revenue, for serious contraventions of the GDRP (which is 30 times more than the current maximum fine for an offence under NZ privacy law).

If the GDPR applies to your business, it is likely that you will need to update your privacy processes and policies to comply with the new law.  Some of the requirements of the GDPR that are more onerous than those under New Zealand privacy law include:

• increased data rights for individuals – individuals have a number of data rights under the GDPR, designed to empower individuals’ control of their personal data.  New rights include the right to erasure (often referred to as the right to be forgotten), to data portability (e.g. to transfer personal data from you to another service provider), and to object to the processing of personal data.  Individuals also have rights in respect of automated processing (decision making) or profiling e.g. an algorithm used to make a decision on an individual’s online loan application or analysis of data to gain insights into behaviours and characteristics of different groups of individuals who are subsequently targeted with certain types of advertising.  You must tell individuals if you undertake these activities and allow individuals to request a review of any automated decision
• lawfulness of data processing – businesses can process personal data only when one of 6 lawful purposes applies: consent is given by the individual or data processing is necessary for: the performance of a contract with the individual; to comply with legal obligations; to protect the vital interests of the individual or other person (i.e. protecting someone’s life); to perform a task in the public interest; or where the data controller has legitimate interests (i.e. where the controller uses personal data in ways individuals would reasonably expect and which have minimal impact on their data rights)
• a higher standard for consent – the GDPR is more prescriptive on how consent must be given for data collection (particularly for sensitive data e.g. racial or ethnic origin, religious belief, genetic data, biometric identification data and health data) and on parental consent for children (anyone under 16).  Consent must be freely given, clear and concise, specific, informed and an unambiguous indication, either by statement or by a clear affirmative action (offering the option to tick an opt-out box will not qualify as freely given consent)
• privacy by design – the GDPR requires privacy by design.  This means that privacy law obligations are embedded in a business’s personal data handling processes from start to finish.  Data controllers must implement appropriate technical and organisational measures considering the nature, scope, context and purposes of processing, as well as the data rights of individuals
• transfers of personal data outside the EU – while personal data may be transferred outside the EU, businesses are only allowed to transfer personal data to countries that provide an adequate level of data protection (the European Commission has determined that New Zealand meets this standard) or where appropriate safeguards are in place, e.g. standard contractual clauses in place between the data controller and data processor, or the transfer complies with an approved code of conduct or certification mechanism

The full text of the GDPR is available here.

We will dive into the detail of the GDPR over the next few weeks, including providing some tips to help with your journey to GDPR compliance, so stay tuned for our next blogs.