The EUmpire Strikes Back: Will the GDPR affect Kiwi businesses?
I know, I know - you have enough acronyms clogging up your brain space, you don’t need another. But this is definitely one you should make room for.
The GDPR, or General Data Protection Regulation.
You’ve likely heard whispers of this new law since 2016, probably interspersed with words like ‘personal data’, ‘European Union’ and ‘data protection.’ And, like many Kiwis, this was probably your first thought:
“Wait, back up - European Union? That’s across the world, why do I need to make acronym space in my head for this ‘GDPR’ thing that has nothing to do with New Zealand?”
Well, you might not. Technically, whether or not this particular regulation is relevant to you depends on the nature and reach of your Kiwi (or Australian) business. Before we delve into the specifics of the GDPR, let’s first clarify who even needs to be concerned:
- If you run a business that doesn’t store ANY customer data at all, you’re in the clear - go ahead and fill that brain space up with cat videos and lyrics to songs from when you were 13, because the GDPR doesn’t affect you.
- If you own or work for a business that does store customer data, but none of it belongs to someone from an EU country, you’re probably also in the clear (for now, at least) - although you should probably triple check your data just to make sure you’re not missing a Brit or two (and yes - despite Brexit, the UK still falls under EU data jurisdiction until at least 2019, if not longer). Your ‘immunity’ to the regulation is also contingent on your organisation not planning to conduct any business in the EU or track the online behaviour of any Europeans in the future.
- All other organisations that store, use or interact with personal data from any EU countries need to in line with the legislative changes that came into effect on 25 May 2019.
'Okay but first, tell me - what exactly is the GDPR (simplified)?'
The EU laws surrounding data privacy were conceived and implemented in 1995 - a year of crimped hair, humongous computers and manually inputting data. This happens to be the same year in which we founded Datamine (yes, I feel old), and I can assure you that over the last couple of decades we have seen the nature of data morph into something entirely different, not to mention the sheer amount of information that exists now and the increasingly formidable hackers that have come with it. For these reasons, the EU ‘powers that be’ decided it was time for a legislative update back in 2016 - a Data Privacy Law 2.0, if you will.
The GDPR (11 chapters and 99 articles in total - it’s a whopper) is designed to give the power back to the people with regards to their data. European surveys have shown that citizens trust transparent companies, so in some ways this legislation can be viewed as a mandatory suggestion that businesses be more open about their data practices. Among the most important bits of the legislation are:
- Individuals have the right to be forgotten - this means they can reach out to a business at any time and ask for their data to be permanently deleted.
- Individuals need to be notified immediately in case of a data breach or hack. No more cover-ups where companies try to save their own hides at the expense of their customers’ data protection.
- Businesses/websites will need to obtain explicit consent in order to use or store personal data from sign-ups - this will probably mean the end of the ‘I agree to the terms and conditions [that I didn’t actually read]’ as we know it.
- Individuals have the right to know whether or not an organisation is storing or processing their personal data and, if so, why.
The GDPR officials aren’t messing around, either - organisations that are found to have broken any of these new laws could be fined 4% of annual turnover, or €20 million (whichever is higher). As you can imagine, many EU businesses are not happy about having to completely redesign their data collection and storage processes or having to pay such a hefty fine if they violate the terms of the regulation.
But what about non-EU businesses – New Zealand and Australian based businesses in particular? How does the GDPR affect Kiwis?
Data privacy changes in New Zealand with the GDPR
As I mentioned earlier, organisations that have data belonging to anyone from an EU country needs to update their data management practices. In theory this sounds fine, but in practice it can be quite tough - especially if you have a lot of EU data or partner with a European company.
If you have EU-based sister or partner companies, they should be asking about your preparedness for the GDPR changes. Same goes for companies that are even considering the possibility of expanding into the EU - in fact, it probably makes sense for all Kiwi companies to at least begin updating their data processes, even if they don’t currently manage personal information from EU citizens. Here’s why:
Many of the articles set forth in the GDPR are closely aligned with those from New Zealand’s Privacy Act 1993, the current law in NZ. Of course, a lot of the more contemporary clauses in the GDPR are absent from our legislation - however, it looks like similar changes will be arriving to NZ in the near future (or at least that’s what the International Association of Privacy Professionals believes), so stay tuned.
How can NZ businesses get in line with the GDPR regulations?
Well, there are a couple of things. First things first: figure out what your organisation’s current data management practices are. Where do you keep customer data? How much of it do you hold onto? When (if at all) do you delete it? What is protocol if there were to be a data breach? Having a solid grasp on your current procedures will help you know what needs to change.
If you run a large organisation that interacts closely with EU customers, it might be smart to internally (or externally) designate someone as the Data Protection Officer in order to ensure total GDPR compliance. Many businesses have also been seeking legal help, just to make sure they know exactly what they need to do to be in line with the regulations.
In order to be able to explain to someone how you’re using their personal data (and get rid of it if they ask you to), you need to have a single customer view, and you need to have a comprehensive data management system (like a Datamart) in place. Depending on your business' current situation, it might also be smart to seek help with your permission management practices to ensure you're adequately prepared for the upcoming legislative changes.
Here’s the good news: we do both data and permission management for numerous Kiwi businesses on a day-to-day basis. Having been around for a while (since the 90’s, remember?), Datamine has gone through innumerable structural data changes over the years - our processes and practices have drastically changed since we were founded, but that’s a good thing! It means we’re staying up-to-date, and it means we’re fully qualified to help other organisations through the same changes.
For more information, get in touch with one of our Consultants here, or download the Datamine Guide to Data Privacy and Security below.
ABOUT THE AUTHOR: PAUL O'CONNOR
Paul founded Datamine in 1995 and has overseen the company's growth into its current position as a key player in the data analytics community. He brings a human touch to data analysis, translating 'geek-speak' into English and never failing to turn the imponderable into actionable insights.