The European Union's General Data Protection Regulation comes into force today - Does it affect your business?

If you have customers or suppliers in the European Union, you may have to comply with the General Data Protection Regulation (GDPR) which comes into force today.

Are you wondering why your inbox has been clogged with emails from organisations advising you that they have updated their privacy policies?

These updates are a response to toughened privacy regulations in the European Union (EU), specifically the General Data Protection Regulation (GDPR).  The GDPR is already law in at least 28 EU countries as a result of an earlier non-binding EU directive, but it officially comes into force in the EU today, 25 May 2018.

Many of you may have simply glanced over the emails you have received this week because this is EU legislation. However, the GDPR is wide-reaching and it may well affect your business.

What is the GDPR?

The GDPR is a new EU data privacy law which will change the way that businesses access, store and use personal data.  In particular, the GDPR protects any information that can be used to identify an individual and certain categories of data have been singled out for a higher level of protection.

It represents a movement across the EU towards aligning privacy policies and procedures and improving data protection and privacy rights.  The regulation imposes a comprehensive set of principles and obligations which agencies working in, or with the EU, need to comply with.  

For a basic overview of the GDPR, visit the EU Commission’s website here

How does EU legislation affect New Zealand businesses?

It is easy to look at foreign legislation and think that it will not affect your business; however the GDPR has a wide reach.  Because it is designed to protect EU citizens from data and privacy breaches which could affect them, it captures businesses and/or websites that operate from overseas as well as those physically located in the EU.  Be aware that it will also capture free services.

To determine whether the GDPR will affect your business, consider the following:

  • Does your business offer goods and services to EU residents?
  • Does your business rely on third parties that store or transmit data to or from the EU? (think hosting)
  • Does your business collect, transmit or process data about EU residents?

What should your business be doing if you answered “yes” to any of the above?

  • Assess how the new regulation might affect your business.  Ultimately you may need to seek professional legal advice on this.
  • Identify and map EU customer data and analyse what, how and why you process data (you may need to take additional measures to protect EU customer data.  It may need to be segregated from other customer information and treated differently).
  • You may need to communicate to your customers or consult with other third parties, for example data controllers and processes.
  • You may need to update privacy consents and/or policies.
  • Be prepared for questions from your EU partners about your business’ GDPR compliance.
  • Consider your processes for responding to requests from customers and dealing with privacy breaches.  (Customers can trigger enforcement action under the GDPR by requesting that you provide them with the data that your business maintains about them, as well as other more detailed information about that data.  Failure to provide a complete response in a timely manner could trigger significant penalties.)

If you are unsure whether your business needs to comply with the changes that come with GDPR, and/or you require further advice and support in this area, please contact our team.