No need to fear: getting your head around the GDPR

Friday, May 25, 2018

If you have been reading anything about the impending go-live date of the General Data Protection Regulation (GDPR), you might be feeling a bit daunted: more stringent data protection standards, heightened rights for individuals, harsher penalties on data controllers and processors for failing to comply…chances are you are sweating and thinking “does this apply to me? Is my business up to scratch?”

Do not panic!

The GDPR does represent some significant changes in the privacy world. For some businesses they require immediate attention, and for all businesses in New Zealand those changes are coming, it is just a matter of time.

But there is nothing to fear so long as you are informed, prepared and equipped to take on the changes, and despite the Regulation coming into force today (May 25 2018) you still have time to take stock of your position.

What is the General Data Protection Regulation?

It is the European Union’s (EU) new legal framework for data protection. It is enforceable by national privacy authorities (like the Information Commissioner’s Office in the United Kingdom).

The GDPR aims to better protect the privacy rights of EU residents by granting them greater control over how their personal data is collected, processed and stored by businesses.

It requires greater transparency about how businesses handle personal data and imposes stricter accountability measures to ensure personal data is being properly protected.

It is a large step ahead of our Privacy Act 1993 and the Privacy Bill currently before Parliament.

But I am not in Europe, why do I care?

While the GDPR is an EU regulation, it has extra-territorial application. New Zealand businesses are governed by the GDPR to the extent that they deal with personal data belonging to individuals residing in the EU.

Even if you are not doing business in the EU, the GDPR contains a very broad catch all that wraps up anyone “monitoring the behaviour of” EU residents.

You are certainly subject to the GDPR if you offer goods and services to EU residents (for example you operate an online store directed, in whole or in part, at EU residents), or you operate an office in the EU (think: Air New Zealand and Fonterra), and you process personal data belonging to individuals residing in the EU (regardless of whether it is processed in the EU or not).

If you are a business with a web presence directed at EU residents or with an EU user base, you should assume the GDPR applies to you.

While the GDPR comes into force today there has been widespread reporting that most national privacy regulators in the EU are unprepared for it. So in the short term, it’s pretty unlikely anyone will be knocking down your door, or your inbox.

Still, it’s a smart time to get your house in order. Law reform in this area is coming locally in any event.

And even if the regulation cannot be directly applied to you today, if you are buying the services of Google, Microsoft, Amazon, HubSpot, Mailchimp, Shopify, or any major international web service, you have probably already been required to be GDPR compliant. If you are not, you are probably in breach of those contracts.

Did you read those updated terms of use? Of course you did.

Meanwhile in New Zealand, the Privacy Bill currently before Parliament is a weak upgrade to the current Act. Privacy commentators have largely joined with our Privacy Commissioner in urging Parliament to follow the GDPR closely and swiftly, so we expect the Bill to be renovated in light of the GDPR as it goes through the legislative process.

The good news is that, by and large, the Privacy Act and the GDPR are comparable, and if you’re complying with the Act you’re well on your way to GDPR compliance too.

However, the GDPR sets out your obligations in dealing with personal data in much tighter language and introduces some significant new rights for data subjects.

New rules, new language

The key terms of the GDPR are different than those in the Privacy Act but many are equivalent to what we already understand. For example, use of personal information under the Act becomes processing of personal data in the GDPR. The Privacy Act’s Identifiable individuals are the GDPR’s data subjects, and so on.

But there are some differences too. For example, The Privacy Act talks about an “agency” – the person holding personal information. In the GDPR one becomes two: “data controllers” and “data processors.” That split is easy to understand in an IT context. If Spotify hosts its music software on the servers of AWS, then all that information about your love of S-Club 7 is controlled by Spotify, but processed by AWS.

But others will now wear two hats. Some data they collect and control for themselves (a data controller hat) e.g. browsing data: are you checking out cots and nappy bags? Other data they collect and process on behalf of sellers (data processor hat) e.g.: purchase and bid data that is collected in fulfilment of the agreement they have to make an item available for sale.

Under the Privacy Act, if you are processing the data, you have obligations to the individual who that information is about even if you do not ‘own’ that customer relationship. Under the GDPR, if you are having someone else process data for you, you have to front to your customer yourself every time.

If you are a small suburban florist using Mailchimp as your data processor, that might make you the tail trying to wag the dog.

For now, your business should take note of, and understand the shifting terminology, and consider your position as a processor or controller of personal information. If your business is dependent on a large data processor like Trade Me, have a think about how you might require them to comply with erasure requests in the future.

New rights for individuals

The GDPR introduces a number of new rights which individuals can enforce against you as a data controller in relation to how their personal data is handled. The four big ticket developments, in our view, are data portability, clarity of privacy information, rights in relation to artificial intelligence (AI) and the right to be forgotten.

The right to personal data portability in basic terms is the right to have all of your data given to you in a common format to do with as you wish. Want to take all of your music playlists from Spotify to Rdio? You now have the right.

The underlying policy is that individuals ‘own’ their data and if they want to change service provider or otherwise go elsewhere with their data then they should not be restricted in doing so. It is as much the removal of a competitive barrier as it is bolstering your privacy.

The right to clear privacy information greatly increases the demands on your privacy disclosure practices. Your old privacy policy will almost certainly need a tune up to make sure you’re disclosing precisely the information you’re collecting and processing, who you are transferring it to, how long you are keeping it and how to contact you to complain or to exercise rights. And that it is doing all of those things in a clear, precise and transparent way.

If you apply automated decision making based on the personal data you have collected you need to disclose this and explain the relevance and impact. The provisions about the use of “AI” to make decisions which impact the lives of individuals are a glimpse of just how significant this technology has already become.

Those provisions include a right to object to automated decision making about you at any time and the data controller can only continue if they are fulfilling a legal obligation, or have compelling legitimate grounds to and even where those exceptions apply, you will usually have the right to obtain human intervention and to contest any decision the AI has made about you.

The right to be forgotten is actually a simple right to the erasure of information held about you without undue delay. It became known as the right to be forgotten after Mario Consteja Gonzalez took Google to court in Spain to compel them to remove historical information about him from search results. He won, and to varying degrees across Europe the right to be forgotten is already law but the GDPR gives it consistency and, of course, potential extra-territorial impact.

The right to be forgotten has been one of the most talked about gaps in the Privacy Bill currently before Parliament. Expect lots of submissions on its inclusion, and expect change in this area of the law.

For established businesses who haven’t modernised their database architecture the right to be forgotten could bring with it significant practical difficulties. If your systems can’t handle removal of data about individuals, that is something to address urgently.

Privacy by design

The GDPR expressly requires organisations to be accountable for their management of personal data.

Not only are you required to collect personal data only for legitimate purposes, keep personal data secure, and for only as long as it reasonably required, and act lawfully and transparently in doing those things. You must be able to demonstrate your compliance with data protection principles.

There are specific security provisions which require you to take appropriate technical and organisational measure to ensure an appropriate level of security, which measure may include pseudonymisation, encryption and processes for regularly testing and evaluating security.

You must adopt a privacy by design approach including, as a matter of process, removing identifying information when it is no long required, not putting personal data to any further use without seeking additional consent (unless an exception applies), and keeping data accurate and up to date.

In many cases you will be required to designate a data protection officer (commonly called a privacy officer in New Zealand).

One of the tasks of that data protection officer will be comply with the requirement to notify any personal data breach to a supervisory authority within 72 hours and to an individual personally where a breach is likely to result in a high risk to that person’s rights and freedoms.

Stricter consent requirements

Nobody reads the privacy policy, right? Right. The GDPR makes that your problem.

The “one-signature-consents-to-all” approach will no longer suffice. Consent now needs to be positively and explicitly obtained through a separate agreement with an individual, which clearly sets out any risks associated with any transfer of personal data.

“Affiliate consent” where one company obtains consent on behalf of all of its affiliates is gone too.

If you are a user of any internet service, your inbox will have been bulging over the last few days with updated privacy policies and notifications of GDPR compliance. The irony being that as companies rush to get their house in order, beef up their consents, and swamp you with information about how they’ve done that, they are doing exactly what the GDPR does not want them to do.

There is no easy answer, but poorly obtained consents and low quality communication of complex privacy information will be low hanging fruit for regulators once they tool up.

Final tips

So what do you do with all of this? What has changed today compared to yesterday?

The key take away for you is to bump this up your list of priorities. The GDPR requires businesses to make changes to policies and processes relating to personal data, and it is likely the Privacy Act will eventually follow suit.

Taking steps to come within the GDPR today is effectively future-proofing for where New Zealand’s domestic law is likely to inevitably end up.

Familiarise yourself with your business and its current data management practices so you know what you need to update: where is personal data stored? How long does your business hold it for? How does your company currently respond to data breaches?

Knowing your current practices will help you to determine where to start with making changes to comply with the GDPR.

It is important to keep the GDPR in perspective as it swings into global force today. There is no need to fear the GDPR.

Want help? If you want to check your company’s compliance with the GDPR or get advice about what steps to take next, contact Amy Douglas or Guy Smith. 


Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.



Share this publication