IS YOUR BUSINESS READY FOR THE NEW EUROPEAN PRIVACY REGULATIONS?
With the rising concern over privacy and exchange of personal data, the European Union’s General Data Protection Regulation, which came into force on May 25, aims to protect individuals’ right to privacy and enhance data protection. And it could apply to some New Zealand companies too.
With the rising concern over privacy and exchange of personal data, the European Union’s General Data Protection Regulation, which came into force on May 25, aims to protect individuals’ right to privacy and enhance data protection. And it could apply to some New Zealand companies too.
Data analytics and marketing company Qrious’ new CEO Nathalie Morris says while we may feel we’re not affected by regulations on the other side of the world, nevertheless the GDPR “provides us all with an opportunity to re-establish trust with the consumer and become better marketers. Increased transparency and understanding of why we collect, and how we use data, will ultimately work in our favour by building more trusting and meaningful relationships with consumers”.
In an article providing some background to the GDPR and how it may affect New Zealand marketers ( www. qrious.co.nz) she says that there has been an increasing distrust by consumers around the use and security of their personal data and the GDPR hopes to re-instate this trust by strengthening the privacy rights of individuals.
“It does this in several notable ways. These include giving European citizens the ‘right to be forgotten’, also known as Data Erasure. They also have the right to ask what data a company holds on them, make changes, or transfer it to another company (referred to as ‘portability’). Any data that is collected in the first place will need to be deemed necessary and proportional to legitimate interests related to the services or products provided. So asking for relationship status (an extreme example), for a whitepaper download will likely be unlawful.”
She says there are also strengthened regulations around consent on the use of the data. Under the GDPR “consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes which, by a statement or by a clear affirmative action, signifies agreement to processing”.
As to the kind of data the GDPR protects, Morris says it protects any information that can be used to identify an individual. That includes data tied to a person’s name, address or ID numbers. But it can also be a lot broader than that, including web data such as location, IP address, cookie data and RFID tags.
Certain special categories of data are then singled out for a higher level of protection, including: • Health and genetic data. • Trade union membership. • Biometric data. • Racial or ethnic data. • Political opinions. • Information about a person’s sex life or sexual orientation.
As the GDPR aims to protect EU
citizens from data and privacy breaches that could affect them, this means that the GDPR rules apply very broadly. This is designed to address the problem that you can operate a website in the United States or New Zealand that affects EU citizens as much as a brick and mortar business located in France or Germany.
Morris says GDPR therefore applies to anyone who has an established business in the EU. But also may apply to anyone who sells goods or services (including free services such as a website) to EU citizens or is storing and using data of EU citizens – even if they’re not in the EU. If your business fits into one of these categories, you will need to be aware of these regulations, consider further to what extent they may apply to your organisation, and what steps you should take to comply.
“This can mean that if you have data relating to an EU citizen in your database, you may be subject to the GDPR regulations. You will probably want to weigh up how much of that data you hold, how sensitive it is and how strategic to your business, to help you decide what steps you take to comply.” For many New Zealand organisations the GDPR may only apply in certain scenarios, to particular parts of the business or selected customers – if at all. So before you panic, think about how the GDPR may apply.
“Following New Zealand privacy laws, as well as following marketing best practices is a good start and will certainly help your GDPR compliance. However, any opportunity you can take to improve your general privacy baseline will be really beneficial.”
And while they can’t offer legal advice on what is required to become compliant, she can offer some practical tips to help get you started.
“It’s a good idea to review and update your current processes for complying with New Zealand law, followed by any extra steps needed to address areas of material GDPR risk. Even where the legal obligations are the same as under New Zealand law, the consequences under GDPR could be more significant. Breaches of the new European regulations will come with a hefty fine – as high as €20 million or four percent of your annual global turnover (whichever is higher)."
As a first step she recommends companies audit their data and lead generation practices. This could include: • What data are you requesting in your lead generation forms – is it ‘necessary and proportionate’ to the purpose you’re trying to achieve? • Is your opt-in clear and does it require direct action by the consumer? It is always a better position to be in to have a strong opt-in consent. • Does each type of marketing communication have its own opt-in? i.e. if you’re asking for both a mobile phone and email address to send marketing communications, they will both need individual opt ins – i.e. ‘Yes, I would like to receive TXT notifications’, and ‘Yes, I would like to receive email updates’. • Is your unsubscribe and preference centre up-to-date and working efficiently. Ideally opt-out should be automatic and immediate.
If you’re unsure of your compliance requirements and how to prioritise these it’s important to seek legal advice. But taking practical steps to improve your privacy processes will often be beneficial.
“A good place to start is an audit of what data you collect and what you do with it. You can then use that information to improve your data security and lead generation practices and begin thinking about how you can incorporate thinking about privacy into the development of new products or key decisions about disclosure or use of personal information.
“It’s a good idea to revisit and, where needed, revise your privacy policy to make sure it’s clear on what data you collect, why you collect it, how you’ll be using it, and how an individual might be able to get access to or change the data you hold,” she says.