06 April 2018
Daniel Dellemann / Business Development Manager and Market Analyst / NZTE Europe
New Zealand companies doing business with Europe must comply with new rules over the way they manage the personal data of European Union (EU) residents.
The rules take effect on 25 May 2018 under the EU’s General Data Protection Regulation (GDPR).
All companies and organisations that collect, store or use personal data of EU residents need to comply by 25 May, or risk penalties of up to 20 million Euros or 4 percent of global annual turnover.
Compliance is required regardless of whether a company owns the data, or is just a service provider processing data for another company.
New Zealand companies intending to launch their services in the EU need to be GDPR-compliant before contracting with EU companies.
EU partners expect New Zealand companies to have a compliance plan in place before GDPR takes effect.
GDPR rules range from using plain language when communicating about data collection, to giving people the ‘right to be forgotten’, to keeping only data necessary for a specific purpose.
Some companies including Facebook and Google have published descriptions of how they are complying with GDPR.
How can my company prepare for GDPR?
We recommend you seek professional legal advice to prepare for the changes.
For an overview of how GDPR affects SMEs, see the European Commission's website.
For an overview of how GDPR affects New Zealand businesses including a comparison of NZ Privacy Law v GDPR, see Russell McVeagh's Information Sheet For GDPRHere are some actions you may want to consider:
• Analyse what, how and why you process data. Have a look at what kind of data sits in your CRM as a lot of it may be irrelevant or outdated.
• Assess how GDPR could affect your business. For example, some contracts may need updating and you may need to request consent from people who receive your newsletter.
• Consult with relevant stakeholders such as customers, data controllers and data processors. This relates to the above point: do you need to update contracts or request consent?
• Create processes: implement changes, set clear responsibilities and review your processes on a regular basis.
• Data security: there are a lot of data security systems available. But as a starting point, you could review your passwords and encryption settings.
What is the purpose of GDPR?
To create one coherent data protection framework to protect the rights of people living in the EU.
Are GDPR regulations for companies with operations in the EU different to those without operations in the EU?
The short answer is the same rules apply regardless of where your operations are based. GDPR does not just apply to businesses and organisations with operations in the EU, but to all those collecting, storing or using the personal data of EU residents.
If you collect, store or use the personal data of EU residents and do not have a direct presence in the EU, you will be required to designate a representative in the EU to carry out compliance on behalf of your company.
Do companies collecting, storing or using the data of United Kingdom (UK) residents have to meet GDPR regulations, given the UK plans to leave the EU under Brexit?
This article has been updated from an article published on 2 October 2017.