General Data Protection Regulation (GDPR)

The European Union (EU) will soon have new rules that are likely to affect the privacy policies of businesses around the world.  They relate to the collection of data from citizens of EU countries, and so can affect businesses even as far away as New Zealand.  The EU General Data Protection Regulation (known as the GDPR – more info here) has now come into force as of 25 May 2018.

There are three key ways that it could affect your business which you should be thinking through now.

1. Assessing to what extent it will affect you

To answer this you need to think through questions like this:

• do you market to and target EU residents via website?  Just having it accessible to them may not be enough – do you actively target EU residents to help those in the EU order tours or trips via your website such as offering the website in languages of the EU (beyond English)?
• what “personal” data do you collect about users/customers e.g. names, gender, dates of birth, phone, credit card information, addresses, emails etc.
• do you transfer data to the EU for example to any agents who act on your behalf there or do you have an “EU representative” or any physical presence at all?
• does anyone else store your data on servers offshore or is it all in New Zealand?

2. Reviewing your documents

In light of the answers above, the key one to review is your privacy policy and it is important to check what it says and if it needs updating to reflect best practice.  In addition, it is good to look at any consent forms (or places clients click) to check that they are widely enough drafted to give consent to use of their information.

• When looking at your privacy policy some key questions to ask are:
• What exactly is being collected?
• Which entity is collecting the data?
• What is the basis for receiving and for processing the data?
• Whether or not the data will be shared with third parties?
• How long will the data be stored for?
• How is the information collected going to be used?
• What rights does the person who submitted the information have to e.g. access it – and how?
• What the process for a complaint is?

3. Documenting how you comply

This is both an internal record but also could be used if you were ever asked to show how you are complying.  It would document the above two points clearly to explain how compliance with the new rules is ensured.

You may want to also designate a person or group to lead the effort within the business.  A “Data Protection Officer” could help lead the way in this regard.  They may want to prepare a “Data Protection Policy” which can also be used to educate the businesses’ senior decision makers about the GDPR’s new risk-based compliance approach, and the potential effects of non-compliance.

We are able to assist companies with a review of their privacy policies in light of the changes in the EU.  While it may seem amazing that a jurisdiction so far away could impact us this is likely to be an increasing trend as we move into even more of a global economy where countries and regions look to protect the data of their citizens.  This focus is highlighted by reports of the improper use of data by companies harvesting that information to use in elections.  If your answers to any of the questions above indicate a link with the EU then now is the time to take action.

This article is not a substitute for legal advice and you should talk to a lawyer about your specific situation. Please contact Steven Moe stevenmoe@parryfield.com at Parry Field Lawyers (348-8480)