The EU’s GDPR rules have come into force. Bill Bennett explains what this means for New Zealand businesses, even if they don’t trade with Europe.
European Union rules seem distant to most New Zealand business operators. Yet the EU’s General Data Protection Regulation has a long reach.
The GDPR came into force in May and you must follow GDPR rules if you do business with European companies or consumers. The fines for failing are huge – up to four percent of your business turnover or €20 million.
Even if your business isn’t in the EU’s sights, there’s a knock-on effect. Any business that keeps customer records or any other kind of personal data will need to lift its game.
It’s worth taking notice of the GDPR at it is fast becoming the global standard for looking after personal data.
People worry about their privacy and the way organisations use personal data. Their fears have grown in recent years with good reason; every week or so there’s another story about private data misuse.
They are also concerned about the data security. This isn’t an abstract idea. In 2015 hackers stole a list of customer names from Ashley Madison and made them public.
The site promised members they could have extramarital relations and the theft ruined many people’s lives. There were even reports of suicides.
But while it was a high profile event, it was not an isolated incident.
It shouldn’t surprise you to learn consumers distrust companies that fail to protect personal data. Rising levels of mistrust threaten the growth and use of online services. That is bad news for business owners and the wider economy.
Putting this right is in everyone’s interest – everyone, except criminals and scoundrels.
The GDPR sets out to protect a person’s right to privacy and to provide greater data protection.
The key here is that the rules don’t only apply to companies in the EU. They apply to anyone who wants to trade in Europe – which could mean you if, say, there are European customers on, say, your Manuka Honey soap database.
Because companies need to obey the rules to trade with Europe, they are now widespread. They stand as a benchmark. This means your customers and business partners may expect you to follow the same rules, and this can apply even if you don’t trade with Europe.
What are the rules?
Many of your customers, business partners and suppliers will already follow GDPR rules. They may be uncomfortable if you’re not at least up to date with the principles.
There are a few important points about what the GDPR does. First, it gives Europeans the right to be forgotten. This means if a customer requests it, you have to erase all the data you hold on them.
Customers are also able to ask you what data you hold on them. You’re obliged to give them this information. Customers can also ask you to make changes to records if they are wrong.
If they want to transfer data you collected to one of your rivals, they can. In practice this might not be as much of a problem as it sounds.
You need to be able to show the data you collect is necessary to your business and proportional to the task in hand. So if you sell, say soap bars, you can’t ask a customer about their age or personal relationships – it wouldn’t be appropriate. However, that personal data would be fine if you ran a dating business.
You can’t give or sell personal data to other companies or business partners without clear written permission. And you can’t keep data longer than necessary either.
This doesn’t mean you must wipe a customer’s data the moment they stop buying, and it doesn’t mean you should wipe it if you never expect to see them again.
Most of the GDPR rules mentioned so far are more or less in line with New Zealand’s Privacy Act – at least in broad terms. The basics of both sets of regulations are that you need to be careful and open about collecting information. You also need to ‘take reasonable steps’ to make sure data is accurate and not misleading. Much of it is common sense.
If you keep any kind of data then you should look closer at the actual New Zealand rules. You can find out more at the Privacy Commissioner’s website: www.privacy.org.nz.
It’s tough for smaller businesses
Things get difficult for smaller New Zealand businesses when it comes to protecting privacy. Putting the right level of security in place isn’t obvious. It goes beyond installing anti-virus software and firewalls. You would need to provide staff with formal training on procedures and so on.
A business can’t have privacy without decent security. Data needs to be secure to remain private.
Another potential difficulty is that the GDPR expects you to take special care of anything that can identify someone. On a simple level this could be data linked to a name, address, phone number or drivers licence number. All that is easy.
It might also apply to the cookie data that tracks website visitors. It can get tricky if, say, there’s a RFID tag connected to something the person owns.
The GDPR rules call for additional levels of protection for some kinds of data – this includes health or genetic information and biometric data. Treat anything that might reveal racial or ethnic details with kid gloves. Likewise, information about sexual orientation.
If all this sounds too hard – and for many people it will – then you might want to consider if you still need to deal direct with European customers. This could be an ideal moment to hunt out a distributor or master retailer on that continent.
Europe will be a strategic market for some people. If so, it may pay to get specialist advice on what to do.
While the penalties for getting things wrong are high, the EU isn’t looking for scapegoats. There’s little chance it will mobilise legal resources to crush a small exporter. You’ll get a chance to put things right first.
The EU says New Zealand’s privacy laws are adequate – however the government still plans to tighten them, which will take things further.
This means if you follow the local rules then you’ll be well on the way to being GDPR ready.
Bill Bennett is an Auckland-based business IT writer and commentator. Email [email protected]. This article first appeared in the September 2018 issue of NZBusiness.