What you need to know about the GDPR

If you've been at all engaged with the news recently, or if you've read the numerous privacy agreement updates from your social media channels that you've been receiving, then you've probably heard of the GDPR.

The GDPR refers to the European Union's General Data Protection Regulation that has recently come into force and aims to protect the rights of individuals in the EU and enhance data protection. With increased concern from consumers about privacy, the GDPR aims to re-establish trust by giving them more control over the personal information that is held about them.

Key ways that the GDPR aims to do this include giving EU citizens the "right to be forgotten", the right to ask what data is held about them, the right to make changes to any information held about them, and the right to transfer their personal information to another business or organisation. The GDPR also requires that any gathering of data  is necessary and in line with the legitimate purpose of the business or organisation that is collecting them.

Consumers must also give consent for data to be collected, and this consent must be "freely given, specific, informed and an unambiguous indication of the data subject's wishes which by a statement or by a clear affirmative action, signifies agreement to processing".

By "data" the GDPR is referring to any information that could be used to identify an individual. Obviously this would be their name, address, or ID, but may also refer to broader location data, IP addresses, and data collected by cookies.

Is this relevant in NZ?

The simple answer is yes. The GDPR aims to protect EU citizens, but because the internet operates on a global scale, New Zealand websites could be, and are, used to gather data about people all over the world.

For example, if your site uses cookies to track site traffic for analytics and/or advertising puproses and someone located in the EU visits your site, you are most likely subject to the GDPR regulations. It is important that you consider what data you collect and hold, what this data is used for, and how relevant it is for you to gather this data in order to decide how you may address any privacy requirements.

What should you check?

To help you get started with reviewing your data and privacy practicies, here are some steps that you can take:

• Make a list of all the places that you gather data about people online. This could include forms on your website such as contact, booking or lead generation forms, and is likely to also include use of cookies (via Google Analytics or use of a Facebook Pixel).
• Look at the information that you gather about people in these ways. Is all of the data that you gather required and meaningful for your business?
• Check that you have provided an opt-in and opt-out opportunity that requires a direct action by the consumer for each form of communication. Opting out of communications should ideally be automated and immediate. Services such as Mail Chimp make this easy and they've created this post about the tools they've put in place for the GDPR.
• Check that you clearly inform consumers about the data that you gather from them, and do you provide them with a way to contact you should they wish to view, request a change to, or ask you to delete data gathered about them​

How does the GDPR compare with New Zealand's Privacy Act?

Our Privacy Act 1993 sets out 12 somewhat-flexible Privacy Principles. Whilst there is considerable crossover between these Principles and the Articles in the GDPR, there are some aspects of the GDPR that are not covered in the Privacy Act, and therefore NZ businesses will need to be vigilant.

The International Association of Privacy Professionals (iapp) has created a helpful post that compares the Privacy Act 1993 with the requirements of the GDPR. If you want to see what matches up and what doesn't, you can check it out here.

How are we helping our clients?

If you have a Ripple Design & PR website and your site uses cookies (this is usually associated with Google Analytics) we have made a small change to your website that will display a notification to any visitors from the EU, and explains that they have the option to block cookies in their browser settings. This message can be altered to show up for all visitors to your site (including those outside the EU), and if you would like this to be activated, please let us know.

Regarding your privacy and data collection practices, we must stress that you are responsible for reviewing the data that your website collects, how you use this data and the information you provide about your practices to consumers. As much as we'd love to help you, we don't have the legal expertise to ensure that your site is GDPR compliant, and if you have concearns you should approac a legal professional with expertise in this area.

As always, we are very happy to work with you, in accordance with your instructions, to make any changes to your site that you may require.
​

Disclaimer: Whilst this post is intended to provide information about the GDPR, it must not be used as a guide or legal advice about the GDPR or becoming compliant. The purpose of this post is to provide general information and you should seek legal advice if needed.