The EU General Data Protection Regulation (GDPR) is one of the largest ever changes in data protection law. It replaces the existing Data Protection Directive and came into force on 25th May 2018. The aim of the GDPR is to give Europeans better control over their personal data held by organisations worldwide. The new regulation focuses on keeping organisations more transparent and expanding the privacy rights of individuals. The GDPR also introduces more stringent penalties and fines for organisations who are non-compliant ranging up to 4% of annual global turnover or €20 Million, whichever is the greater.
However, the GDPR does not only apply to organisations within Europe. It also applies to organisations outside of Europe, including those in New Zealand who sell goods or services to EU residents or who monitor the behaviour of EU residents. Not sure if the GDPR applies to your organisation use our checklist to provide an indication.
The effects on NZ companies in scope of GDPR largely depend on their current level of compliance with the NZ Privacy Act. Many organisations who are in scope find they are also currently non-compliant with the NZ Privacy Act therefore increasing the amount of work required to become GDPR compliant. Changes required range from having to update legal documents, documenting processes, updating the way they market to customers and security changes. Each companies journey is different depending on the starting point and the kind of business.
If you are in scope the first thing to do is not panic! The regulators from Europe are not planning a trip to NZ just to check compliance anytime soon. Unless you breach a customer’s rights or have a security breach the regulators are not going to be searching for you.
There is lots of incorrect advice around regarding GDPR so ensure you get advice from a certified GDPR specialist, so you ensure you are taking the right actions.