I know, I know - you have enough acronyms clogging up your brain space, you don’t need another. But this is definitely one you should make room for.
The GDPR, or General Data Protection Regulation.
You’ve likely heard whispers of this new law since 2016, probably interspersed with words like ‘personal data’, ‘European Union’ and ‘data protection.’ And, like many Kiwis, this was probably your first thought:
“Wait, back up - European Union? That’s across the world, why do I need to make acronym space in my head for this ‘GDPR’ thing that has nothing to do with New Zealand?”
Well, you might not. Technically, whether or not this particular regulation is relevant to you depends on the nature and reach of your Kiwi (or Australian) business. Before we delve into the specifics of the GDPR, let’s first clarify who even needs to be concerned:
'Okay but first, tell me - what exactly is the GDPR (simplified)?'
The EU laws surrounding data privacy were conceived and implemented in 1995 - a year of crimped hair, humongous computers and manually inputting data. This happens to be the same year in which we founded Datamine (yes, I feel old), and I can assure you that over the last couple of decades we have seen the nature of data morph into something entirely different, not to mention the sheer amount of information that exists now and the increasingly formidable hackers that have come with it. For these reasons, the EU ‘powers that be’ decided it was time for a legislative update back in 2016 - a Data Privacy Law 2.0, if you will.
The GDPR (11 chapters and 99 articles in total - it’s a whopper) is designed to give the power back to the people with regards to their data. European surveys have shown that people trust transparent companies, so in some ways this legislation can be viewed as a mandatory suggestion that businesses be more open about their data practices. Among the most important bits of the legislation are:
The GDPR officials aren’t messing around, either - organisations that are found to have broken any of these new laws could be fined 4% of annual turnover, or €20 million (whichever is higher). As you can imagine, many EU businesses are not happy about having to completely redesign their data collection and storage processes or having to pay such a hefty fine if they violate the terms of the regulation.
But what about non-EU businesses – New Zealand and Australian based businesses in particular? How does the GDPR affect Kiwis?
As I mentioned earlier, organisations that have data belonging to anyone from an EU country needs to update their data management practices. In theory this sounds fine, but in practice it can be quite tough - especially if you have a lot of EU data or partner with a European company.
If you have EU-based sister or partner companies, they should be asking about your preparedness for the GDPR changes. Same goes for companies that are even considering the possibility of expanding into the EU - in fact, it probably makes sense for all Kiwi companies to at least begin updating their data processes, even if they don’t currently manage personal information from EU citizens or residents. Here’s why:
Many of the articles set forth in the GDPR are closely aligned with those from New Zealand’s Privacy Act 1993, the current law in NZ. Of course, a lot of the more contemporary clauses in the GDPR are absent from our legislation - however, it looks like similar changes will be arriving to NZ in the near future (or at least that’s what the International Association of Privacy Professionals believes), so stay tuned.
How can NZ businesses get in line with the GDPR regulations?
Well, there are a couple of things. First things first: figure out what your organisation’s current data management practices are. Where do you keep customer data? How much of it do you hold onto? When (if at all) do you delete it? What is protocol if there were to be a data breach? Having a solid grasp on your current procedures will help you know what needs to change.
If you run a large organisation that interacts closely with EU customers, it might be smart to internally (or externally) designate someone as the Data Protection Officer in order to ensure total GDPR compliance. Many businesses have also been seeking legal help, just to make sure they know exactly what they need to do to be in line with the regulations.
In order to be able to explain to someone how you’re using their personal data (and get rid of it if they ask you to), you need to have a single customer view, and you need to have a comprehensive data management system (like a Datamart/CDP) in place. Depending on your business' current situation, it might also be smart to seek help with your permission management practices to ensure you're adequately prepared for the upcoming legislative changes.
Here’s the good news: we do both data and permission management for numerous Kiwi businesses on a day-to-day basis. Having been around for a while (since the 90’s, remember?), Datamine has gone through innumerable structural data changes over the years - our processes and practices have drastically changed since we were founded, but that’s a good thing! It means we’re staying up-to-date, and it means we’re fully qualified to help other organisations through the same changes.
For more information, get in touch with one of our Consultants here, or download the Datamine Guide to Data Privacy and Security below.
Paul founded Datamine in 1995 and has overseen the company's growth into its current position as a key player in the data analytics community. He brings a human touch to data analysis, translating 'geek-speak' into English and never failing to turn the imponderable into actionable insights.