GDPR Compliance for New Zealand Businesses

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. Even though this is a European Union regulation, it potentially has significant implications for New Zealand businesses.  Technology has enabled New Zealand businesses to operate on a truly global scale and businesses collect, process and use data from all corners of the world.    
   
The key purpose of the GDPR is a codification for the protection of individual's personal data and the movement of personal data within the EU.  The GDPR goes beyond New Zealand's Privacy Act 1993 (Privacy Act), thereby containing stricter requirements in a number of areas.  The "long arm" of the GDPR may now reach many New Zealand businesses.    
   
Does the GDPR Apply to Your Business?

For the GDPR to apply to a New Zealand business, your business does not have to physically have an office established in the EU.  As long as your business 'processes' the personal data of a person located in the EU, this is sufficient.

More specifically, the regulation will apply to a New Zealand business that processes the personal data of data subjects (ie any individual) who are in the EU where the processing either:

a) Relates to the offering of goods or services to data subjects in the EU; or    
b) Relates to the monitoring of the behaviour of data subjects in the EU, to the extent that behaviour takes place within the EU.

Simply having a website that is accessible to EU residents may not be sufficient to trigger the GDPR on its own.  Further factors are likely to be necessary, such as a website that provides for payment, and which makes it apparent that you intend to offer goods and services to consumers in the EU.  Also, if you are able to monitor website activity of data subjects while they are in the EU, this could also trigger application of the GDPR.

For example, if a person in the EU orders a product online from a NZ business for delivery in the EU, the GDPR applies.  Conversely, where a EU citizen is in NZ and orders and pays for delivery of a product within NZ, the GDPR is not triggered.

How Does the NZ Privacy Act Differ From the GDPR?

The GDPR goes further than the Privacy Act in that an individual's consent must be explicit and a business must demonstrate the individual's active consent. The core focus of the GDPR is giving individuals more rights in relation to the their own personal data which goes beyond the Privacy Act.

The GDPR has included additional requirements in mandatory contract terms with data processors.  There are additional accountability measures (risk assessments, training and keeping records) going beyond the Privacy Act's requirement of merely a privacy officer in certain circumstances.

How can Businesses Comply With the GDPR?

The first step a business should undertake is an assessment of whether your business activities are caught within the territorial scope of the GDPR. That is, are you offering goods and services to people located in the EU?  Or are you monitoring the activities of people located in the EU (regardless of citizenship)?    

Our team of legal experts can assist in order to work out if your business is captured by the GDPR, and, if so, what steps you are required to take to ensure that you are GDPR compliant.

Different New Zealand businesses will have different levels of risk under the GDPR and therefore the compliance will vary on a case by case basis. For example a New Zealand business could be considered 'high risk' if the business has an office in the EU, offers goods/services directly to individuals in the EU or processes 'sensitive data'.    

Data is becoming more and more valuable nowadays for businesses, and investing in ways to comply with the GDPR provides businesses an opportunity to leverage and protect this data.

Why Should my Business Comply?

There are a series of potential penalties and liabilities that arise under the GDPR and the financial consequences of failing to comply with the GDPR is significant.

There are two tiers of pecuniary penalties:

a) A fine of up to €10,000,000 or 2% of total worldwide annual turnover (whichever is the highest)    
b) A fine of up to €20,000,000 or 4% of total worldwide annual turnover (whichever is the highest)

Other penalties include EU-based privacy authorities corrective powers and sanctions including issuing warnings and reprimands, imposing temporary or permanent ban on data processing and ordering the rectification, restriction or erasure of data.  We recommend that New Zealand businesses come to terms with whether the GDPR will apply to them. There are potentially adverse reputational implications for a business that may occur from a failure to comply with such data protection law, irrespective of the regulatory sanctions that may be imposed.

On 21 January 2019, Commission Nationale de I'Information et des Libertés (CNIL), France's data-privacy regulator, imposed the largest fine so far in the GDPR's brief existence.  CNIL imposed a fine of €50 million (NZ$85 million) on Google for two breaches of the GDPR.    
   
This was a statement to the world that no matter how large your corporation is, your business is not immune to the EU's authorities flex of its GDPR muscle.  The fine imposed by the regulator exceeded the €20,000,000 specified in the second tier penalty formula and was instead calculated as a portion of 4% of Google's total worldwide annual turnover.

Both of the violations centred around "forced consent", in that Google was deemed to be lacking a transparent legal basis for processing individuals personal data by forcing users to consent to processing that they did not understand. Even though Google had implemented processes to obtain user consent to process personal data, the regulator deemed these processes were insufficient to meet the GDPR principles of transparency, information and consent. Therefore, your business must be aware of the obligation to acquire clear, unambiguous consent from data subjects in the event where an individual's personal data is processed.

What Measures can my Business Undertake?

The practical measures that your business can undertake depends on the data you are processing, scale of the business and many other factors.

From here you can undertake different measures depending on your means including:

a) undertaking a data map;    
b) drafting a GDPR compliant privacy policy or notice;    
c) clarifying the legal basis for your processing of data;    
d) appointing a data protection officer;    
e) updating internal privacy procedures and data breach planning;    
f) considering your third party relationships and contracts; and    
g) various other measures.

We can guide you towards what measures are most appropriate for your business and assist your business in the implementation of such processes.  If in doubt, we recommend ensuring your business complies with the GDPR to avoid running foul of EU authorities, or even just receiving bad publicity that may discourage consumers from using your business.

Please direct any enquiries to:

Andrew Knight on (09) 306 6730 (aknight@mcveaghfleming.co.nz)

See our Expertise page

Privacy and Data Protection