Everything you need to know about how the GDPR affects NZ businesses
In a little over a weeks time the General Data Protection Regulation (GDPR) will go into effect in the European Union, signifying the most important change in data regulation/privacy laws to date. While the EU may seem like a long way away from New Zealand, the rules actually have a huge impact on any business who handles personal data of anyone residing there. Which means that some NZ organisations will need to review their internal processing procedures, or risk a hefty non-compliance fine — up to €20 million or 4% of annual worldwide turnover for any breach of the GDPR. I don’t know about you, but I don’t want to be on the receiving end of that.
Before we get into the nitty gritty about how the GDPR will affect NZ businesses, or what you need to do to be prepared, let’s back it up a little bit and talk about what it actually is.
What is the GDPR and why does it exist?
Before the GDPR there was the Data Protection Directive. It was initiated in 1995, before the internet had truly become such an integral part of our existence — we weren’t sharing personal data online anywhere close to how we do today. You don’t have to look much further than recent stories like the Facebook-Cambridge Analytica scandal to see why there is a rising issue over security of personal information, and the utilisation of that information, from consumers.
The GDPR aims to reestablish trust by strengthening consumers data and privacy rights. From 25 May 2018, there will be a single approach to data regulation across all EU member states. Now, all organisations within the EU (or international organisations who hold personal information of anyone in the EU) will have to disclose the intended use and duration of storage of data acquired, and re-solicit permissions each time a new use of the data is proposed. All in all, the GDPR is expected to collectively save companies €2.3 billion annually.
How will it affect people in the EU?
Once implemented, the GDPR will protect the following fundamental rights of citizens:
- Data Erasure gives EU citizens the ‘right to be forgotten’, and can have their data deleted at anytime if it is no longer relevant
- The right to ask what information an organisation holds of theirs (at reasonable intervals)
- Right to request to exchange information to another organisation; companies are expected to honour this request within four weeks
- Any information gathered will be considered fundamental and corresponds to authentic interests identified with the product or service in question.
- Controllers and processors must make it clear how they collect personal information, what it’s used for and the ways it’s processed
- Data cannot be given or sold to other companies, unless a citizen has explicitly indicated it is okay to do so
Okay, so how will it affect businesses in NZ?
While the GDPR applies to anyone who has an established business in the EU, it also applies to anyone who sells goods and services (including free services such as a website) to EU citizens, or stores and/or uses data of EU citizens – even if they’re not in the EU.
If you have information relating to an EU citizen in your database, you may be subject to the GDPR regulations. It would be responsible to weigh up how much of that data you hold, how sensitive it is and how strategic is it to your business, to help you decide what steps you take to comply.
What does this mean for the online advertising industry?
Businesses who wish to track online users (i.e. EU citizens) and collect their data must get clear and voluntary consent. This does not include pre-checked opt-in boxes and businesses cannot deny access to users if do not wish to consent. Also, consent must be obtained for each activity a business wants to use data for. For instance, if you want to track a user’s behaviour via web analytics and use their data for advertising, you must get separate authorisation.
If you are a data processor, the GDPR also affects you. As agencies, we’re often entrusted to look after our clients’ data, and our clients trust us to take care. If you’re an agency who handles data for your client, you need to show that you are compliant. This means taking it seriously, having internal guidelines that govern how you handle data and ensuring the people you work with that handle your client’s data (publishers, tools, suppliers) are GDPR compliant too.
What are the steps NZ needs to take?
As a NZ business
As of now, NZ privacy laws have been deemed sufficient by the EU. However, they are being remodeled to become even more robust. So, we still need to take the following steps to ensure compliance:
- Conduct an audit of your current processes, data and lead gen practices to ensure they comply with current NZ laws, as well as take additional steps needed to address areas that may be of GDPR risk. Start by asking yourself the following: a. What data are you requesting in your lead gen forms? b. Is the data ‘necessary and proportionate’ to what you’re trying to achieve? (Do you really need their ethnicity/age in order to download a whitepaper?)
- Ensure your opt-ins are clear and require direct action by the user. Having strong opt-in consent will help keep you GDPR compliant.
- Make sure that each type of marketing communication has its own opt-in. For instance, if you’re asking to send marketing comms to both a mobile phone and email address, you’ll need individual opt-ins.
- Review that your unsubscribe and preference center is up-to-date and working efficiently.
As an NZ agency (data processor)
At a minimum, follow these steps:
- Have data management and privacy guidelines. These should document principles, key roles and responsibilities, and the key processes within the business.
- Ensure the key suppliers which use your clients’ customers data are GDPR compliant.
- Take data and privacy seriously, and include it in checklists, briefings and internal education throughout the agency.
Okay, so the GDPR implementation is going to take a little bit of time to get your head around, but it’s a great excuse to take a hard look at your data and privacy policies and practices. And before you start panicking about compliance, know that they’ll roll these changes out progressively and give warnings and time to rectify any issues. Only where there is clear and repeated non-compliance will you be at risk of prosecution.
BrandingMay 3, 2018
The role of a branding agency in the post-advertising age.
We’ve moved from a traditional marketing world to one that is dominated by digital — now we’re entering a new era: post-advertising.