ITP Techblog

PREPARING FOR THE GDPR

The EU General Data Protection Regulation (the GDPR) was passed by the European Parliament on 14 April 2016, and is due to come into force without individual member state ratification in May 2018. The GDPR, which will replace the Data Protection Directive, is designed to give European citizens greater protections and more control of their data.

Some of the most significant changes the GDPR will introduce are:

• Data protection by design/default: organisations will be required to implement technical and organisational measures to demonstrate that they have integrated compliance measures into their data processing activities - for example, so that only personal data that is necessary for the specific activity undertaken is processed and retained. 
• Data Protection Officers: in certain circumstances, organisations must have a knowledgeable internal Data Protection Officer (DPO) as part of their accountability programme. The DPO's activities must include supervising and maintaining compliance with the GDPR. 
• Personal data breach notifications: data processers must report all data breaches to the relevant data controller without undue delay after becoming aware of the breach. Data controllers must notify the appropriate supervisory authority of a data breach within 72 hours of becoming aware of the breach unless the controller is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedom of natural persons. In some cases, they must also notify each affected data subject. 
• Data portability: if requested by the data subject, relevant data must be provided in a commonly used format and/or transferred to another controller if the subject requests. 
• Universal right to be forgotten: in certain situations, data subjects can require data controllers to erase their personal information without undue delay. As well as erasing the data held on request, the data controller must take reasonable steps to notify any one to whom it has disclosed the data.  
• Consent: consent to the processing of personal data must be "freely given, specific, informed, and unambiguous" - silence or pre-ticked boxes will not meet this requirement. Separate consents are required for different processing activities - "omnibus" consent mechanisms may not be valid. The data subject must have the right to withdraw consent at any time.
• Sanctions: penalties for breaches will be imposed on a tiered scale, and may be up to 4% of the organisation's global annual turnover. 

The GDPR maintains the position under the Directive that transfers of personal data to countries outside of the EU must only take place if an adequate level of protection can be ensured. New Zealand was declared "adequate" for this purpose in 2012 under the existing directive and the GDPR provides that adequacy decisions made under the directive will remain in force. 

However, due to the broader scope of the GDPR, New Zealand organisations may find themselves captured by the GDPR (and therefore subject to greater compliance obligations) even if they are not currently captured by the existing directive.  The GDPR will apply to organisations outside of the EU whose activities relate to the offering of goods and services to, or monitoring the behaviour (within the EU) of, EU data subjects. Monitoring behaviour includes the use of cookies to profile users and predict their personal preferences. In practice, any New Zealand company targeting consumers in the EU and collecting their personal data may well fall within the scope of the GDPR. The ability to place orders in the EU country's language or local currency is likely to be indicative of a directed EU presence which will impose GDPR obligations. The GDPR may also apply where an organisation has an EU 'establishment' where personal data is processed. An 'establishment' may exist where an organisation exercises 'any real and effective activity, even a minimal one … through stable arrangements'. 

If you think your organisation may be affected by the GDPR (for example, because you operate in the EU or offer goods or services targeted at EU citizens), you would be wise to take legal advice well before it comes into force. In any event, it is always worth looking at how your organisation deals with personal information and considering the following issues: 

• How will you address data security breaches? Organisations with clear policies and well-practiced procedures will be less likely to be stung by the implementation of the law in two years.
• Do you have a framework for accountability for data protection within your organisation with clear standards and a culture of self-monitoring?
• Have you embraced privacy/data protection by design? Privacy policies should be accessible and in plain-language and you should carefully consider how and when you obtain data subject consents. 
• Do you have in place procedures to uphold data subjects' rights and are the security standards which apply to how you store and process data adequate?

 

Amy Ryburn is a partner in Buddle Findlay's ICT practice. She really loves her job. When Amy's not at work, she can generally be found hanging out with her husband and trying to keep up with her three small children.