GDPR (General Data Protection Regulation) is a new set of European Union data privacy laws that goes into effect on the 25th of May 2018 and will affect many New Zealand businesses. The laws govern how companies collect, store and use personal information.
Organisations who don’t comply could be hit with large fines up to 4% of a company’s global annual turnover or €20 million.
You might still be thinking that these EU laws only affect Europe but not New Zealand – well it’s a lot more complicated than that. In fact, even if you use something common such as Google Analytics for your website tracking – you may lose website data that is 26 months old or more if you don’t take immediate action steps.
GDPR applies to all EU residents – even if the businesses or websites serving them are based outside of Europe.
In practice, this means that companies in New Zealand and around the globe will have to comply with GDPR if they wish to continue serving European users, otherwise they would have to build separate platforms and systems just for Europe – which is not feasible and would probably not work well with the internet’s intertwined nature.
You might have already come across many instances of businesses taking action steps towards complying with GDPR such as new privacy policies, terms & conditions or consent forms being rolled out from Microsoft, Google, Spotify, Quora, Mashable, Udemy, Discord, GoDaddy, LinkedIn, and more.
The end result of the GDPR will most likely mean that users will have more transparency and control over how their data is collected and used whether they reside in Europe or not.
Some of the main GDPR regulations includes:
As an NZ organisation serving users around the globe it may be best to do the following tasks:
Google emailed all analytics customers last month telling them that they have to “review these data retention settings and modify as needed” before 25th of May 2018 when GDPR becomes enforced. You may have logged in and seen this pop-up:
This is essentially Google putting the GDPR compliance requirement on its users (website owners) and not on themselves. It also means that Google will automatically delete all data that is older than the default setting (which appears to be 26 months).
If you want to retain your data it’s best to change the setting now so that data does not expire.
This should explain how you collect and use data, and which third party service providers you share that info with. It should also cover processes in which users can obtain and delete any stored data you have on them.
If you have newsletters going out make sure that people on your mailing lists have checked a box agreeing to receive those emails.
Make sure you only collect absolutely necessary info upon check-out or obtain explicit approval for the additional info you collect and state how you utilise it.
This is by no means a complete list of GDPR regulations that may apply to New Zealand businesses, however they are most probably the most common issues that will apply to the majority.