Data privacy legislation just underwent its most important change in 20 years – is your business doing enough to stay compliant?
Data privacy legislation recently underwent its most important change in 20 years, making a huge impact on online advertising and related privacy.
The General Data Protection Regulation (GDPR), adopted by the European Parliament two years ago, came into effect on 25 May 2018. As described on the EU’s website, the law applies to all organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
Therefore, all companies, regardless of their location, that hold and process the personal data of persons residing in the European Union must ensure their compliance with the GDPR.
However, to be clear: the GDPR will not apply to a New Zealand company when its website or contact details are merely accessible in the EU or by EU citizens living abroad. Similarly, the GDPR does not apply if the New Zealand business’ website is targeted at non-EU countries. GDPR will apply if the website is set up to enable EU persons to order goods and services or with the intention to monitor EU persons’ behaviour.
So what does this mean in the world of digital marketing and the work that krunch.co performs for our clients?
First, to achieve compliance, the GDPR requires a level of collaboration between brands and technology partners (data controllers and data processors). Both the controller and the processor have duties and liabilities under the GDPR ensuring, for example, that the data is being processed fairly and lawfully for specific and legitimate purposes.
Next, it’s important that each organisation ensures that it has adopted the relevant legal framework for its use of the consumer data that it collects. For example, using Google Analytics or Facebook, you need to inform your users of the kinds of data you’re collecting, what you’re doing with it and who else will see it.
So what can you do? The recent DirectorsBrief from the Institute of Directors entitled “Are you Ready for GDPR” highlights five steps businesses can take to ensure they’re compliant with these regulations:
1) Understand your data: What personal data do you collect and how is it processed? For example, is it made accessible without consent? Is it sent to third parties? The definition of personal data covers more than just personally identifiable information: it now covers photos, email addresses, location data, political opinions, IP addresses and lots more.
2) Create (or update) your data purpose(s): Once you understand your data, it’s important to document exactly what data is collected, why it is collected, where it is processed, who and where it is processed if outside of the EU, how long it will be retained, etc. The legal basis for processing personal data must be clear. If you already have a data purpose, make sure it’s GDPR compliant.
3) Ensure consent: Ensure that you can demonstrate consent in case of a data request or a complaint. Consent has to be freely given, specific, informed and may be withdrawn at any time. Pre-ticked boxes are not valid forms of consent.
4) Support the data subject’s rights: Assess business policies and processes to allow users to access, opt-out, restrict or erase their data for example. The “right to be forgotten” is a key element of the GDPR.
5) Create an incident response plan: The mandatory breach notification under the GDPR requires that responses to personal data breaches are investigated and reported within 72 hours of the discovery of the breach
Non-compliance with the GDPR can be very expensive: organisations can be fined up to €20 million or up to 4 percent of the total worldwide annual turnover (whichever is higher), and businesses are already being penalised.
Personal information is collected through a wide number of sources for a large number of reasons. In this new privacy age, data controllers and data processors need to work together and ensure that data privacy issues are handled in compliance with the GDPR.
We’re happy to chat through what it means specifically for your business.
Note: New Zealand’s version of the GDPR is currently in select committee awaiting more submissions. This new legislation will repeal and replace the Privacy Act 1993 and will no doubt include the necessary clauses to comply with the European GDPR.