The General Data Protection Regulation is a major step in digital privacy and is the result of a long process settled in European values. It aims at strengthening laws on data protection, giving EU citizens control over their personal data. The Regulation came into effect on the 25th of May 2018 as you will have noticed by all the emails you received.
So what’s it all about? And what is the impact on us Kiwis?
Discussions began in 2010 about a new reform. In 2012, a proposed legislation was made by the European Commission and was heightened in 2013 by the Edward Snowden case and after four years of debate, the most lobbied law in the history of the EU was published in 2016.
Specifically, EU citizens have the right to:
- information about the processing of their personal data;
- obtain access to the personal data held about them;
- ask for incorrect, inaccurate or incomplete personal data to be corrected;
- request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation;
- request the restriction of the processing of their personal data in specific cases;
- receive their personal data in a machine-readable format and send it to another controller (‘data portability’);
- request that decisions based on automated processing concerning them or significantly affecting them and based on their personal data are made by natural persons, not only by computers. They also have the right in this case to express their point of view and to contest the decision.
The New Zealand privacy laws have been found ‘adequate’ by the EU, though they are currently being reformed to become even more robust.
Following New Zealand privacy laws will help you with GDPR compliance. You can also review and update your current processes for complying with NZ law, followed by any extra steps needed to address specifics of the GDPR. Breaches of the new European regulations are as high as €20m or 4% of annual global turnover (whichever is higher).
If you electronically communicate with your customers you can ask yourself
- What data are you asking for in your online forms – do you really need your visitor’s address to allow them to download something?
- Is your opt-in clear and require direct action by the consumer? It is always a better position to be in to have a strong opt-in consent.
- Does each type of marketing communication have its own opt-in? i.e. if you’re asking for both a mobile phone number and email address, they will both need individual opt-ins – i.e. ‘Yes, I would like to receive TXT notifications’, and ‘Yes, I would like to receive email updates’.
- Is your unsubscribe and preference center up-to-date and working efficiently. Ideally opt-out should be automatic and immediate.
Systems InfoAge provides and manages for our clients are compliant. You too can take practical steps to review and audit your own privacy practices. Look at what data you collect and what you then do with it. Here is the full 201 page regulation and there are plenty of practical ways online in how to comply.