If you've been at all engaged with the news recently, or if you've read the numerous privacy agreement updates from your social media channels that you've been receiving, then you've probably heard of the GDPR.
The GDPR refers to the European Union's General Data Protection Regulation that has recently come into force and aims to protect the rights of individuals in the EU and enhance data protection. With increased concern from consumers about privacy, the GDPR aims to re-establish trust by giving them more control over the personal information that is held about them.
Key ways that the GDPR aims to do this include giving EU citizens the "right to be forgotten", the right to ask what data is held about them, the right to make changes to any information held about them, and the right to transfer their personal information to another business or organisation. The GDPR also requires that any gathering of data is necessary and in line with the legitimate purpose of the business or organisation that is collecting them.
Consumers must also give consent for data to be collected, and this consent must be "freely given, specific, informed and an unambiguous indication of the data subject's wishes which by a statement or by a clear affirmative action, signifies agreement to processing".
By "data" the GDPR is referring to any information that could be used to identify an individual. Obviously this would be their name, address, or ID, but may also refer to broader location data, IP addresses, and data collected by cookies.
Is this relevant in NZ?
The simple answer is yes. The GDPR aims to protect EU citizens, but because the internet operates on a global scale, New Zealand websites could be, and are, used to gather data about people all over the world.
What should you check?
To help you get started with reviewing your data and privacy practicies, here are some steps that you can take:
How does the GDPR compare with New Zealand's Privacy Act?
Our Privacy Act 1993 sets out 12 somewhat-flexible Privacy Principles. Whilst there is considerable crossover between these Principles and the Articles in the GDPR, there are some aspects of the GDPR that are not covered in the Privacy Act, and therefore NZ businesses will need to be vigilant.
The International Association of Privacy Professionals (iapp) has created a helpful post that compares the Privacy Act 1993 with the requirements of the GDPR. If you want to see what matches up and what doesn't, you can check it out here.
How are we helping our clients?
Regarding your privacy and data collection practices, we must stress that you are responsible for reviewing the data that your website collects, how you use this data and the information you provide about your practices to consumers. As much as we'd love to help you, we don't have the legal expertise to ensure that your site is GDPR compliant, and if you have concearns you should approac a legal professional with expertise in this area.
As always, we are very happy to work with you, in accordance with your instructions, to make any changes to your site that you may require.
Disclaimer: Whilst this post is intended to provide information about the GDPR, it must not be used as a guide or legal advice about the GDPR or becoming compliant. The purpose of this post is to provide general information and you should seek legal advice if needed.