At the start of last year, we were gearing up for the introduction of the General Data Protection Regulations (GDPR). The GDPR is the widest reaching, most stringent set of data protection laws the international platform has seen to date. Nine months later, we are starting to see its impact.
The consequences for non-compliance have been varied. Under the GDPR, the highest sanctions can see a fine of up to €20 million, or 4% of global annual turnover, whichever is higher. A new report by international firm DLA Piper counted just below 60,000 GDPR data breaches reported since its introduction. Despite these numbers, less than 100 fines have been issued by regulators. The DLA Piper researchers attributed this low response with regulators still finding their feet in their heightened supervision roles. Google has been given the highest fine so far at €50 million. At the lower end, an Austrian betting shop was fined €4,800 plus legal costs when their security camera trained on the entrance also captured the footpath outside. It was held in breach of the GDPR as monitoring of public space is not allowed.
Despite being EU legislation, the GDPR can still impact businesses in New Zealand. You will likely need to comply with the GDPR if you:
- have a branch or subsidiary in the EU;
- monitor the behaviour of EU residents (e.g. monitor how many EU customers visit your website); or
- sell goods or services to people who live in the EU.
While there are yet to be any fines outside the EU, NZ companies should not take a relaxed approach to GDPR compliance. As the Regulators establish themselves, we may see more attention turned towards businesses outside the EU.