Changing laws and privacy in the EU
At the end of last month on 25 May, a new digital privacy regulation was introduced across the European Union known as the General Data Protection Regulation (GDPR). The GDPR centralises previously separate privacy legislation across the EU, into one legally binding regulation designed to protect the privacy of EU residents. It regulates how businesses process and handle data, and makes them more accountable for data breaches.
Following this new regulation, companies now must show where a customer’s data is going, how it will be protected and what it will be used for. Customer data includes their email and contact details, IP address, social media profiles and interests.
The GDPR formalises customer’s rights and ensures they have the right to be informed about their personal data, the right of access to their personal information, the right of rectification to update information, the right of erasure so they can erase personal data, and the right to object or unsubscribe from communications at any time.
Why this matters for us in New Zealand
The GDPR has ripple effects beyond Europe, as it is binding on anyone processing EU resident’s personal data. The regulation applies to anyone selling goods or services, including free services such as a website or email newsletter, to EU citizens, or storing data of EU citizens. If a New Zealand website affects EU citizens, they must comply to the regulation, for instance. Failing to comply to GDPR could lead to costly fines and see businesses paying up to 20 million euros or 4% of their global turnover – whichever is higher.
This regulation also indicates a shift in mentality around privacy and customer rights. New Zealand privacy laws, which have been found ‘adequate’ by the EU, are currently being reformed to make them more robust and better protect customers. The best thing any business can do in New Zealand is to take practical steps to improve their privacy processes.
What you can do today
Under the GDPR businesses can collect personal data if someone consents to it, if it’s necessary for them to fulfill a contract, if the business has a legal obligation to do so, and if the company or organisation has a legitimate interest that doesn’t override the rights or freedoms of the person.
Following the establishment of this regulation, the first steps any business should take is to run an audit of data collection and processes. From here, they can run a ‘re-permission’ email campaign for current EU-based email contacts, ensure an ‘opt-in’ button is activated for email newsletters or subscription services, and ensure the cookies are also on opt-in before they’re used for new contacts.
More broadly, any business will benefit from doing a rundown of all data they collect and what is done with it, in order to improve data security and lead generation practices. Businesses should be thinking about how they can incorporate privacy into the development of new products or key decisions, and ensure they are providing genuine value to customers who provide contact details or information.
If you would like some assistance ensuring your IT systems are up to scratch contact our Auckland IT Support Team here.