EU privacy law deadline looms
New privacy guidelines will have a major impact on New Zealand Software as a Service (SaaS) providers who want to do business with the European Union.
The EU General Data Protection Regulation (GDPR) aims to protect the privacy of EU citizens, specifically their "right to be forgotten" and while Google and other search engine providers have been most vocal about the problems inherent in that, SaaS providers will also have to take GDPR requirements into consideration or face fines of up to 4% of your company's global turnover.
GDPR only protects EU citizens but does apply to any business that sells good or services to those citizens, regardless of whether the company has a physical presence in Europe or not. Indeed, the law extends so far as to cover companies who "employ any residents of the EU" or even collect data that may include data about EU citizens.
However, preparedness for the upcoming May 25 deadline seems somewhat sporadic at best.
One recent survey of 1600 organisations found that 37% didn't know if they complied with the GDPR requirements and of those who didn't know, 14% gathered data from EU citizens, putting them immediately on the naughty list.
Locally, accounting software services giant Xero recently told its customers that it was already confident of its compliance and it has a work programme underway to ensure full compliance by the deadline.
"New Zealand is recognised by the EU as an 'adequate' country (i.e. safe country) to receive and process EU personal data. Transfers to New Zealand are therefore entirely lawful under GDPR," says the company in response to a question about the legal situation on the company website.
Meanwhile the Privacy Commissioner has made six recommendations to the Government's review of the Privacy Act including fines for breaches of privacy, mandatory reporting of breaches and the public's right to data portability. Read more on the recommendations here.
You must be logged in in order to post comments. Log In