GDPR Compliance: What Europe’s New General Data Protection Regulation Means For Your Business

Disclaimer: What follows is not, nor is it intended to be, legal advice. Should you be concerned about the implications of the GDPR for your business, we encourage you to seek legal advice.

GDPR stands for General Data Protection Regulation. It’s a new privacy and cybersecurity law that takes effect on 25 May 2018 and covers residents of the European Economic Area (that is, the European Union, Iceland, Liechtenstein and Norway).

Its impending introduction has made a whole lot of big Internet companies sit up and take notice. That’s why so many of them have introduced new data privacy and security policies that take effect on or shortly before 25 May.

Why should you care? Because there are stiff penalties for breaching those laws, and those penalties apply worldwide – even to NZ businesses that have people on their email list or in their database who are resident within this area. So all you need is one EEA resident on your mailing list, and with regard to the information you hold about them, these laws apply to your business.

Two key messages:

Any New Zealand company dealing with the personal data of EEA residents is subject to the GDPR
Fines for breaches of the GDPR can be as much as 4% of your company’s global turnover, or up to 20 million euros.

Eye-opening, isn’t it?

If you suddenly find yourself taking a keen interest in the legal system of Liechtenstein, or if your first thought is “But Brexit will save me!”, read on.

What The GDPR Could Mean For Your Business

There are two ways of answering this: a legalistic one (what could happen under the new law) and a pragmatic one (what may be likely to happen in practice).

You’ll find a number of sources of good advice in “Further Reading” below that state in clear terms what the new regulation entails.

The first source we checked was New Zealand Trade & Enterprise’s report The Principles of the EU General Data Protection Regulation (September 2017). This is a good introductory summary, but please note that interpretations of the GDPR continue to evolve – check the NZTE website for later commentary.

In its September 2017 report, NZTE said:

“The General Data Protection Regulation (GDPR) is a new EU data privacy law that will come into full effect on 25 May 2018. GDPR’s primary purpose is to create one coherent data protection framework across the EU. In doing this, GDPR substantially enhances data protection and privacy rights for persons in the EU, and imposes a comprehensive set of principles and obligations with which a lot of organisations operating or offering products and services in the EU must comply…”

(Note: This NZTE paper referred to the EU rather than the EEA. However, the latest advice we have seen refers to the EEA.)

NZ companies with EU partners are likely to have heard from those partners already, as such NZ companies will be expected to have a GDPR preparedness plan in place before 25 May. To emphasise the importance of preparedness, NZTE commented:

“This new legally binding law replaces and expands on an earlier non-binding EU directive. Companies that do not comply with GDPR could face sanctions of up to 4 percent of their global turnover or up to EUR 20 million.”

What’s more, companies that are affected by the GDPR which do not have a direct presence in the EU will now be required to designate a representative in the EU who will have to carry out various compliance duties on behalf of the NZ company.

Think Brexit will save you? Think again. The UK will still be part of the EU when this regulation comes into effect, and even when Brexit takes effect, it’s expected that the UK will wholly or substantially adopt GDPR into its domestic law.

What’s the key difference from previous EU data privacy regulations? In its report GDPR compliance in four steps (December 2017), the New Zealand Law Commission says:

“The game changer here is that even businesses without a physical presence in the EU may have to comply with the new rules if they:

sell goods or services to a person who lives in the EU; or

monitor the behaviour of a person who lives in the EU.

The critical factor is the location of the individual (data subject) not the location of the data processor or data controller.”

In the same report, the Law Commission summarises when it is legal to process personal data under the GDPR as follows.

“Legal grounds for processing of personal data include:

To perform a contract;
The individual concerned has given consent;
The data controller has a legitimate interest;
Statutory obligation to collect and retain information (eg, employers);
To perform the lawful function of a public authority; or
For the protection of vital interests of that person.”

As you’ll see, therefore, it is possible to process personal data without having received explicit consent from the individual concerned. However, the general approach is prohibitive rather than permissive: the processing of personal data is prohibited unless there are legal grounds to do so.

So, all in all, your company should be extremely careful when handling the personal data of Europeans, including European residents.

Remember: For legal advice, ask your lawyer!

What might happen in practice? How likely is my company to get pinged if I fail to comply?

The short answer is: who knows? But we can make some guesses based on experience:

The EU will probably look to launch some high-profile investigations early, pour encourager les autres. Even if the companies investigated are not to be found in breach of the GDPR, the cost, stress and reputational damage may well prove to be considerable.
It is likely that the maximum penalties for a breach will rarely be imposed – but even a modest fraction of 20 million euros can blow a hole in most budgets.
If a breach is found, companies that can demonstrate that they are genuinely moving to comply with the Regulation, and especially those that are well on the path to doing so, may be looked on more favourably than those that have made no moves to comply.
Smaller companies, or those which collect comparatively little data from EEA residents, may also be treated more leniently – but there is no guarantee of that.

What the EU will do in practice, and how it will manage the balance between education and enforcement, is known only to them. In this situation, we suggest it pays for New Zealand companies to be risk-averse.

Minter Ellison, in their document Biggest shake up to data privacy laws in 20 years – are we ready for GDPR (March 2018), make these points that are well worth remembering:

“be aware that the threshold for obtaining consent to process personal data is much higher than in New Zealand. Consent requires a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individual’s authorisation. We note that silence, pre-tricked boxes, or inactivity is not enough to constitute consent or deemed consent under the Regulation;
ensure that your internal systems and processes are updated to enable:
the erasure of personal data on request of the individual (otherwise known as “the right to be forgotten”); and
the right to data portability, meaning that on request an individual is entitled to receive a copy of all personal data held about them in a structured, commonly used and machine-readable format”

If your company does extensive business in or with the EEA, and if this post is the first time you’ve heard about the GDPR, then we suggest you have a word with your lawyers very soon. But even if you don’t think the GDPR will have a direct impact on your business, it’s worth keeping an eye on, as it is likely that these newer, tighter rules will have a ripple effect around the world. At minimum, you should make sure that your company complies with New Zealand’s own Privacy Act.