IS YOUR BUSI­NESS READY FOR THE NEW EURO­PEAN PRI­VACY REG­U­LA­TIONS?

NZ Business - - FROM THE EDITORS -

With the ris­ing con­cern over pri­vacy and ex­change of per­sonal data, the Euro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion, which came into force on May 25, aims to pro­tect in­di­vid­u­als’ right to pri­vacy and en­hance data pro­tec­tion. And it could ap­ply to some New Zealand com­pa­nies too.

With the ris­ing con­cern over pri­vacy and ex­change of per­sonal data, the Euro­pean Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion, which came into force on May 25, aims to pro­tect in­di­vid­u­als’ right to pri­vacy and en­hance data pro­tec­tion. And it could ap­ply to some New Zealand com­pa­nies too.

Data an­a­lyt­ics and mar­ket­ing com­pany Qri­ous’ new CEO Nathalie Mor­ris says while we may feel we’re not af­fected by reg­u­la­tions on the other side of the world, nev­er­the­less the GDPR “pro­vides us all with an op­por­tu­nity to re-es­tab­lish trust with the con­sumer and be­come bet­ter mar­keters. In­creased trans­parency and un­der­stand­ing of why we col­lect, and how we use data, will ul­ti­mately work in our favour by build­ing more trust­ing and mean­ing­ful re­la­tion­ships with con­sumers”.

In an ar­ti­cle pro­vid­ing some back­ground to the GDPR and how it may af­fect New Zealand mar­keters ( www. qri­ous.co.nz) she says that there has been an in­creas­ing dis­trust by con­sumers around the use and se­cu­rity of their per­sonal data and the GDPR hopes to re-in­state this trust by strength­en­ing the pri­vacy rights of in­di­vid­u­als.

“It does this in sev­eral no­table ways. Th­ese in­clude giv­ing Euro­pean cit­i­zens the ‘right to be for­got­ten’, also known as Data Era­sure. They also have the right to ask what data a com­pany holds on them, make changes, or trans­fer it to an­other com­pany (re­ferred to as ‘porta­bil­ity’). Any data that is col­lected in the first place will need to be deemed nec­es­sary and pro­por­tional to le­git­i­mate in­ter­ests re­lated to the ser­vices or prod­ucts pro­vided. So ask­ing for re­la­tion­ship sta­tus (an ex­treme ex­am­ple), for a whitepa­per down­load will likely be un­law­ful.”

She says there are also strength­ened reg­u­la­tions around con­sent on the use of the data. Un­der the GDPR “con­sent must be freely given, spe­cific, in­formed and an un­am­bigu­ous in­di­ca­tion of the data sub­ject’s wishes which, by a state­ment or by a clear af­fir­ma­tive ac­tion, sig­ni­fies agree­ment to pro­cess­ing”.

As to the kind of data the GDPR pro­tects, Mor­ris says it pro­tects any in­for­ma­tion that can be used to iden­tify an in­di­vid­ual. That in­cludes data tied to a per­son’s name, ad­dress or ID num­bers. But it can also be a lot broader than that, in­clud­ing web data such as lo­ca­tion, IP ad­dress, cookie data and RFID tags.

Cer­tain spe­cial cat­e­gories of data are then sin­gled out for a higher level of pro­tec­tion, in­clud­ing: • Health and ge­netic data. • Trade union mem­ber­ship. • Bio­met­ric data. • Racial or eth­nic data. • Po­lit­i­cal opin­ions. • In­for­ma­tion about a per­son’s sex life or sex­ual ori­en­ta­tion.

As the GDPR aims to pro­tect EU

cit­i­zens from data and pri­vacy breaches that could af­fect them, this means that the GDPR rules ap­ply very broadly. This is de­signed to ad­dress the prob­lem that you can op­er­ate a web­site in the United States or New Zealand that af­fects EU cit­i­zens as much as a brick and mor­tar busi­ness lo­cated in France or Ger­many.

Mor­ris says GDPR there­fore ap­plies to any­one who has an es­tab­lished busi­ness in the EU. But also may ap­ply to any­one who sells goods or ser­vices (in­clud­ing free ser­vices such as a web­site) to EU cit­i­zens or is stor­ing and us­ing data of EU cit­i­zens – even if they’re not in the EU. If your busi­ness fits into one of th­ese cat­e­gories, you will need to be aware of th­ese reg­u­la­tions, con­sider fur­ther to what ex­tent they may ap­ply to your or­gan­i­sa­tion, and what steps you should take to com­ply.

“This can mean that if you have data re­lat­ing to an EU ci­ti­zen in your data­base, you may be sub­ject to the GDPR reg­u­la­tions. You will prob­a­bly want to weigh up how much of that data you hold, how sen­si­tive it is and how strate­gic to your busi­ness, to help you de­cide what steps you take to com­ply.” For many New Zealand or­gan­i­sa­tions the GDPR may only ap­ply in cer­tain sce­nar­ios, to par­tic­u­lar parts of the busi­ness or se­lected cus­tomers – if at all. So be­fore you panic, think about how the GDPR may ap­ply.

“Fol­low­ing New Zealand pri­vacy laws, as well as fol­low­ing mar­ket­ing best prac­tices is a good start and will cer­tainly help your GDPR com­pli­ance. How­ever, any op­por­tu­nity you can take to im­prove your gen­eral pri­vacy base­line will be re­ally ben­e­fi­cial.”

And while they can’t of­fer le­gal ad­vice on what is re­quired to be­come com­pli­ant, she can of­fer some prac­ti­cal tips to help get you started.

“It’s a good idea to re­view and up­date your cur­rent pro­cesses for com­ply­ing with New Zealand law, fol­lowed by any ex­tra steps needed to ad­dress ar­eas of ma­te­rial GDPR risk. Even where the le­gal obli­ga­tions are the same as un­der New Zealand law, the con­se­quences un­der GDPR could be more sig­nif­i­cant. Breaches of the new Euro­pean reg­u­la­tions will come with a hefty fine – as high as €20 mil­lion or four per­cent of your an­nual global turnover (whichever is higher)."

As a first step she rec­om­mends com­pa­nies au­dit their data and lead gen­er­a­tion prac­tices. This could in­clude: • What data are you re­quest­ing in your lead gen­er­a­tion forms – is it ‘nec­es­sary and pro­por­tion­ate’ to the pur­pose you’re try­ing to achieve? • Is your opt-in clear and does it re­quire di­rect ac­tion by the con­sumer? It is al­ways a bet­ter po­si­tion to be in to have a strong opt-in con­sent. • Does each type of mar­ket­ing com­mu­ni­ca­tion have its own opt-in? i.e. if you’re ask­ing for both a mo­bile phone and email ad­dress to send mar­ket­ing com­mu­ni­ca­tions, they will both need in­di­vid­ual opt ins – i.e. ‘Yes, I would like to re­ceive TXT no­ti­fi­ca­tions’, and ‘Yes, I would like to re­ceive email up­dates’. • Is your un­sub­scribe and pref­er­ence cen­tre up-to-date and work­ing ef­fi­ciently. Ide­ally opt-out should be au­to­matic and im­me­di­ate.

If you’re un­sure of your com­pli­ance re­quire­ments and how to pri­ori­tise th­ese it’s im­por­tant to seek le­gal ad­vice. But tak­ing prac­ti­cal steps to im­prove your pri­vacy pro­cesses will of­ten be ben­e­fi­cial.

“A good place to start is an au­dit of what data you col­lect and what you do with it. You can then use that in­for­ma­tion to im­prove your data se­cu­rity and lead gen­er­a­tion prac­tices and be­gin think­ing about how you can in­cor­po­rate think­ing about pri­vacy into the devel­op­ment of new prod­ucts or key de­ci­sions about dis­clo­sure or use of per­sonal in­for­ma­tion.

“It’s a good idea to re­visit and, where needed, re­vise your pri­vacy pol­icy to make sure it’s clear on what data you col­lect, why you col­lect it, how you’ll be us­ing it, and how an in­di­vid­ual might be able to get ac­cess to or change the data you hold,” she says.

Newspapers in English

Newspapers from New Zealand

© PressReader. All rights reserved.