The EU General Data Protection Regulation: Why it May Affect You, and What You Need to Do
|
On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) will come into force. New EU data protection frameworkThe GDPR will introduce a number of important changes to the current EU directive, including the following: Greater territorial scopeThe GDPR applies to organisations outside the EU whose activities include: 1. Offering goods or services to EU customers/ users. Factors that determine if an organisation is caught by this include:
2. Monitoring the behaviour of EU customers/ users. This includes:
So any New Zealand organisation that targets EU customers and collects their personal data is likely to be subject to the obligations imposed by the GDPR. Such organisations may need to appoint a representative within the EU for compliance purposes, including to liaise locally with the relevant supervisory authority and individuals. Accountability and complianceOrganisations that are subject to the GDPR have strict accountability obligations, including around maintaining certain documentation, conducting a data protection impact report for certain riskier types of processing, and the implementation of data protection by design and default (for example, ensuring that only personal data that is required for a particular activity is processed and retained). ConsentThe GDPR will require organisations to obtain the express consent of data subjects when collecting and storing their data. This consent must be given freely, and be specific, informed and unambiguous in nature. Pre-ticked boxes will not be adequate in this regard. Erasing personal dataThe GDPR gives individuals the right to require organisations to erase their personal data without any delay. This right is accompanied by an obligation to take reasonable steps to ensure that any person who the data is disclosed is given notice of the data subject’s erasure request, allowing them to comply with the request. Requests for informationIndividuals have the right to request that organisations provide them with all of the personal data that they hold. BreachesThe GDPR places a mandatory obligation on organisations to notify the relevant supervisory body of any breaches of data that occur. Such a notification must take place without undue delay, and where feasible within 72 hours of the discovery of a breach. If this time frame is not met, then a reasoned justification must be provided. In certain cases, the affected individuals must also be informed. However, no notification is required if the breach is unlikely to result in any risk to individuals. FinesThe fines associated with a breach of the GDPR are significant compared with the current directive. For certain higher end infringements, the organisation may be fined up to the higher of 4% of its worldwide turnover and EUR20 million. Transfers to New Zealand organisationsTransfers of personal data to non-EU countries with an adequate level of protection do not require any specific authorisation under the GDPR. New Zealand has an adequate level of protection so transfers to New Zealand will continue to be permitted. Reform of Privacy Act 1993Since the New Zealand Privacy Act was enacted in 1993, there have been significant and rapid changes in information technology and data science. This has influenced developments in international legal frameworks, culminating in the forthcoming introduction of the GDPR in May 2018. What steps do I need to take to comply?If the GDPR applies to your organisation (and if you have not already done so), you will need to have appropriate processes and procedures in place to ensure compliance with the new legislation when it comes into force in May 2018. This will include embedding the following into your organisation:
For more informationA copy of the GDPR can be found here. How we can helpOur team of New Zealand and UK qualified lawyers would be pleased to discuss the impact of the GDPR with you in further detail, answer your questions, and assist you to comply with your obligations.
|
Contact![]() David Alizade, PARTNER |