Of all the major personal data related things going on in this globally connected world of ours at the moment, the General Data Protection Regulation (GDPR) that comes into force in Europe on the 25th of May is probably not at the top of most businesses’ minds.
Our focus has been on Cambridge Analytica, Zuckerberg in front of the Senate, and the general hullabaloo focusing on Facebook.
Meanwhile, the biggest change to European Data Regulations in nearly 25 years has been rumbling along, unnoticed. It was adopted in 2016, so we’ve had plenty of notice - the two year transition period finishes on the 25th of May 2018.
This post focuses on New Zealand businesses, but easily applies for other businesses in countries that aren’t in Europe around the world. Let’s take a look at why a European regulation is something that every business should be thinking about:
What is the GDPR?
The GDPR is a European Union initiative focused on harmonising the data protection laws across European Union member states.
Basically, it’s a giant upgrade to the 1995 Data Protection Directive, and it doesn’t just “harmonise” laws - it gives them some heavy duty reinforcing.
It is heavily focused on giving European Union Citizens more control over their personal data, who has it, how it is collected, and what it is used for.
Data must be collected with a purpose and the consent of the person it’s being collected from. Additionally, people have the right to erasure (to require their data to be erased), the right of access (to require access to their data) and data portability (to require that the collector of the data electronically pass it to another party).
For businesses, there are some new accountability and compliance provisions that have been introduced to make sure that big corporates and small businesses are playing their part. There are also some hefty fines for non compliance.
For more information, check out this great write up of the GDPR’s full impact (from a UK perspective) that appeared in Wired.
Ok, great, but I’m not in Europe. How does it affect me?
The New Zealand Law Society have done a nice job of explaining everyone it affects, but most New Zealand businesses will fall into the Non-EU based entities processing data of individuals within the EU camp. This means that if you are a New Zealand organisation, collecting the data of individuals within the EU, you’re potentially in the gun. Some examples:
- You’re a New Zealand based financial adviser with New Zealanders who live in Germany as clients
- You’re a tourist operator who provides tours to Spanish citizens visiting New Zealand
- You have an online store selling Kiwiana to people around the world, and you receive regular orders from France
- You have subscribers to your Australasian investment research blog based in Sweden
- You use a cookie or a pixel to track visitors to your website and you receive visitors from Italy
That last one falls under the requirement to comply if you monitor the behaviour of a person in the EU. It’s a massive catch-all that most businesses around the world probably haven’t thought about.
A non exhaustive list of types of personal data you might collect is below (every business collects at least one part of this data).
- Personal details such as the person’s name, address, email;
- Financial details such as how much the person earns, credit ratings;
- Medical details about a person’s mental or physical health;
- Details about a person’s ethnicity, political opinions, religious beliefs, or sexual life;
- Images or voice recordings of a person;
- Employment details;
- IP address of a person that visits a website;
- Cookies (not the delicious kind);
- Criminal records or alleged offence;
- Biometric data; or
- Location data.
Right. So I need to pay attention - what should I do about it?
You should probably take some advice from a member of the legal profession.
Now that’s out of the way, let’s look at some steps you can take to comply with the GDPR and minimise your risk.
Here are some quick and easy things you can check:
Make sure that you’re getting the consent of the people whose data you’re collecting. This needs to be pretty clear - you can’t hide it in Ts and Cs, pretick consent boxes, or do anything else shifty. If you have already got consent, but it doesn’t meet GDPR standards, you need to get it again.
This is a pretty high bar, but it’s also best practice. Make sure your forms and opt-ins (both digital and physical) comply, and then use it as an opportunity to re-engage your customer base. Let them know you’re taking their privacy seriously, and give them an opportunity to re-opt in to your database (even if they’re a paying customer).
Cookies and tracking
Most websites have some sort of cookie collection or tracking system enabled - Google Analytics and Facebook pixels are common examples.
If you have these enabled you have to:
- Make sure that people are consenting to be tracked (as tracking is collection of personal data)
- Make sure that people can opt out just as easily as they can opt in
- Have consent that meets the requirements for the purpose of all, some or none of your tracking (as it’s the user’s right to choose, not the business’)
- Make sure that Do Not Track (DNT) browser requests are respected - this is an opt-out
Access and erasure
You’ll need to make sure your customers know that you have their data, that they have access to it, and that you can erase it. Compliance has been made easier by the removal of the right to be forgotten provision, which called for organisations to be able to erase any trace of a person from their systems on request.
If someone requests access to their data, you’ll need to provide it to them for no charge. The regulation is explicit that people should be able to access their own data for free. You’ll also need to be able to provide it to them in a format they can reasonably use, so sending someone a SQL file is probably not a great way to go.
You also need to be confident that if someone requests that you erase them from your systems, that you can do it. There are a few circumstances where you can legally decline their request - if you are legally required to hold the data, you can keep it. If you’re asked to erase it, you have one month to comply - once you’ve complied, you also need to let them know if you’ve disclosed the data to any third parties, such as Facebook or Google.
Legal grounds for processing data
You have to have a reason to have the data - just because you acquired it isn’t enough. Make sure that the data that you’re collecting is the right data, and you’re not collecting information you don’t need.
Who can help me?
There’s a few people who can help you.
For any updates to your forms, and to install your cookie consents, get your website provider involved. If any personal data is hosted with them (for example, on their server), make sure they’re aware of their responsibilities under GDPR too.
Finally, you can do a lot of this yourself. Check your processes, and make sure you’re only collecting information you need. Check your customer database and website analytics for any evidence of people living in the EU interacting with your business. Communicate with your customers (both in the EU and outside) and make sure they know you’re aware of GDPR and taking it seriously.
Chances are that the EU won’t be looking hard at smaller businesses outside of Europe for GDPR compliance (you can be the big corporates will be under the microscope though), so you could probably ignore GDPR and get away with it.
However, most smaller businesses are often a little lax with data consent and protection anyway, and we need to be better at it. The GDPR is a great chance to adopt some best practices and make sure that your business treats its customers’ precious data better.