My research list

Loading My Research List ...

Save my research

Don't lose any of your research. Fill out the form below and have your research list emailed to you.

Register to receive our latest publications

Are you GDPR compliant? - A checklist for New Zealand organisations

July 02, 2018

Contacts

Partners Jania Baigent, Karen Ngan
Senior Associates Joanne Dickson

Data protection (inc Privacy Bill and GDPR)

New Zealand organisations offering goods or services to EU residents in the EU, or monitoring the behaviour of EU residents in the EU, need to be aware of the General Data Protection Regulation, commonly referred to as the GDPR, and its potential application to their activities.

Breaching the GDPR could result in significant financial and adverse reputational consequences.

What is the GDPR?

The GDPR is an EU regulation that came into effect on 25 May 2018. It potentially applies to all businesses that process the personal data of EU residents, even if the business is not established in the EU.

The key purpose of the GDPR is to set out rules for the protection of personal data and the movement of personal data within the EU. Under the GDPR, “personal data” means any information relating to an identified or identifiable natural person.

Key principles under the GDPR

The GDPR sets out a number of principles relating to personal data, some of which are similar to those we already have under the New Zealand Privacy Act, but some of which go further.

Key principles / aspects of the GDPR include:

Lawful Processing
All processing of personal data must be lawful. Under the GDPR the term “processing” is very broad and could cover practically anything that can be done with data. It includes storing, collecting, recording, using, and disclosing personal data. For processing to be lawful, the processing must:

  • have been consented to by the data subject;
  • have been necessary for the performance of a contract to which the data subject is a party; or
  • have been necessary for compliance with a legal obligation.

Rights of Access, Rectification, Erasure and Portability
As under the New Zealand Privacy Act, the GDPR gives individuals the right to access their personal data, and to have inaccuracies corrected. Individuals also have rights to:

  • have personal data erased in certain situations, such as where the personal data is no longer necessary for the purpose for which it was collected - this is also known as the “right to be forgotten”;
  • data portability - being the right to have their personal data transmitted in a machine readable format to another entity as directed by the individual; and
  • require restriction of processing, object to processing and to not be subject to automatic processing, including profiling.

Right to Information
Individuals have the right to receive certain information about their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This includes information about what personal data is being collected, who is collecting it, the purposes of processing, the rights the individual has to access, rectification and erasure, and rights to restrict or object to processing.

Mandatory Data Breach Reporting
One aspect of the GDPR that has received a lot of attention is the requirement to report a data breach. Data breaches are required to be reported to the regulator (or “supervisory authority”) in the relevant EU member state without undue delay, and within 72 hours after becoming aware of it where feasible.

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the breach is to be notified to the data subject as well.

Transfer of Personal Data Out of the EU
Personal data can only be transferred out of the EU if:

  • the data is transferred to a country that has been determined by the European Commission to have an adequate level of protection (commonly referred to as having “adequacy status"); or
  • provision has been made for appropriate safeguards, and enforceable data subject rights, and effective legal remedies for data subjects, are available.

New Zealand is one of a small number of non-EU countries that enjoys adequacy status. If data is being transferred to a country that does not have adequacy status, additional requirements will need to be satisfied.

Consequences of Non-Compliance with the GDPR
The financial consequences of failing to comply with the GDPR can be significant.

Fines of up to €20,000,000 or 4 % of total worldwide annual turnover for the preceding financial year (whichever is the highest) may be imposed if, for example, a business infringes any of the rights provided to EU residents under the GDPR.

In addition, an entity may be liable to compensate any person who has suffered damage as a result of that entity’s infringement of the GDPR, or the infringement by someone else who is processing personal data under that entity’s authority.

How is GDPR relevant to New Zealand organisations?

The GDPR clearly applies to the processing of personal data in connection with the activities of an entity established in the EU.

The GDPR also expressly provides that it applies to the processing of the personal data of EU data subjects by an entity not established in the EU, where the processing relates to:

  • offering goods or services to EU residents in the EU; or
  • monitoring the behaviour of EU residents to the extent that behaviour takes place within the EU.

The GDPR does not provide any clear guidance as to what type or level of activity will trigger the application of the GDPR for non-EU organisations, or about how the GDPR will be enforced against non-EU businesses.

It is likely that merely having a website that is accessible in the EU would not be considered to be offering goods or services to EU data subjects for the purposes of the GDPR, but if a website provides for payment in Euros and the content is in the language of the particular EU state it is targeted to, it may be. Similarly, if you are able to monitor website activity of individuals who are in the EU while they are in the EU, that may also trigger application of the GDPR.

We expect that the immediate attention of EU data protection regulators will be focussed on the activities of EU data controllers and processors. However, it is important that any non-EU organisation promoting its goods or services to EU residents in the EU is aware of the GDPR requirements, as ignoring them, and being in breach of the GDPR can have significant financial consequences, as well as cause reputational damage.

What should New Zealand businesses be doing to ensure they are not caught out?

The first thing you should do is undertake an assessment of whether or not your activities fall within the territorial scope of the GDPR. That is, are you offering goods and services to EU residents? Or, are you monitoring the activities of EU residents while they are in the EU?

If the GDPR could apply to your business, below is a checklist of some things to consider (or download a copy of the checklist here):

Tick Question
  Are you offering goods and services to EU residents? Or, are you monitoring the activities of EU residents while they are in the EU?
  Are you collecting, using or storing personal data of EU residents? If so, this could mean you are processing personal data.
  If you are processing personal data, is the processing lawful?
  -  Do you have a legitimate interest in processing that personal data?
  -  Do you have the consent of the EU residents to the processing of their personal data?
  Have all required disclosures regarding the personal data been given by you to the data subjects?
  Are you able to comply with a data subject’s requirements in relation to:
  -  Access and correction?
  -  Erasure?
  -  Data portability?
  -  Objections or restrictions to processing?
  -  Automated processing?
  Have you appointed a Data Protection Officer?
  Will you be transferring any personal data out of the EU?
  - If so, is it being transferred to a country with adequacy status?
  Do you have processes in place to ensure you are able to identify, and deal with, data breaches quickly, efficiently and in a manner that meets the requirements of the GDPR, including notification to regulators and the affected data subjects?

Our team of experts are available to help you work out if you are captured by the GDPR, and if so, what steps you need to take to ensure that you comply.

Contributors nick.jens@simpsongrierson.com