GDPR: What It Means For Your Business
& What You Need To Do.

Getting To Grips With GDPR Requirements

We’ve had a lot of questions directed to us in recent weeks regarding compliance issues in respect to the new European GDPR legislation, which takes affect later this month.

We have complied this short guide to help you understand if and how the GDPR applies to your business situation and we’ve provided a list of useful tools and resources and documented some of the changes we’ve adopted internally, in response to this new legislation.

What Is The GDPR & What’s It Got To Do With Me?

The GDPR or The General Data Protection Regulation is an expansive piece of new privacy legislation that will come into full effect on the 25th May 2018. The GDPR is a European Union (EU) data privacy law that will have implications for businesses globally and can carry potentially heavy penalties for breaches, with fines up to €20 million or 4% of global revenue.

The broad thrust of the new legislation is to provide EU citizens with greater transparency and control in respect to how their personal information is collected and used and providing them with legal recourse where they suffer any misuse or breach of their data.

The new legislation is very likely a glimpse of the type of expanded legislation that will come to our own shores in the not too distant future. As a result, we’ve decided to embrace some of the key aspects of the new European standard and apply it to our own business case, so we could share our findings with others.

While these new privacy laws are a European Union initiative, their powers extend beyond the European Union’s borders and can affect businesses worldwide and because it is legally binding, companies cannot simply ignore or opt out.

Who will be affected by the GDPR?

There are three different categories of business that can be affected by the GDPR:

Organisations based within European Union Borders.
Organisations that provide goods and services to European Union citizens regardless of where the organisation is based.
Organisations processing and holding the personal data of citizens residing in the European Union regardless of the organisations location.

If you work for a New Zealand based company, it’s quite possible that you fall into one of the latter categories of the organisations affected. If your organisation sells goods or services to EU citizens or if your company is collecting or storing personal or behavioural data on these users e.g. via your website, analytics package or email marketing package, then your company is subject to compliance with the requirements of the GDPR.

What should you do about the GDPR?

Your own response to the GDPR (if any) will obviously be heavily dictated by your own business situation, in respect to both your interactions with EU-based clients or users and your business’s operational scope.

There are different levels of GDPR compliance and dependant on the nature of how your business collects, processes and stores user data, your required approach will need to be adapted accordingly.

Common features across many businesses that warrant carefully consideration include, your website’s privacy policy and your overall marketing information systems. This list will likely include your website, reporting and analytics package, CRM software, marketing automation tools, email marketing database and social media outposts.

There is a lot of very detailed material online about the GDPR and rather than try and attempt to recreate this or provide an exhaustive roadmap, we’ve provided some useful resources below and detailed some of our own preparations for GDPR.

What We Did About The GDPR Requirements

Exploratory Research and Situational Analysis

We started out by conducting quite a bit of research on the subject and consulted some Industry Associations and colleagues that were facing the same challenge in respect to the new legislation. As a result of our research and analysis we decided that despite the fact that we aren’t marketing our own services in the EU, that we’d attempt to adopt some of the dictates of the new higher European standard. The key driver for this was so that we could better assist our clients and provide support to existing and potential clients that might be directly impacted by these changes.

Systems Review & Audit

The next major step was to review and audit all of our own tools, systems and processes as they relate to collecting and storing personal information, that could potentially come under the scope of the new legislation. This list of tools and systems included our website, business emails systems, website and campaign analytics tool, email marketing tools etc.

System and Process Changes

The system review and audit helped us to identify areas where we were potentially risking violations of the new legislation. We then worked through a number of checklists and implemented practical steps to update some of our data collection and storage processes to bring us closer into line with the GDPR provisions.

As an example of some of the practical steps involved; we removed any default opt-in check boxes from our website (as consent now needs to be expressly given). We anonymised the last 4 digits of the user IP addresses that we were collecting in our analytics package (as this is deemed to be personally identifiable information) and we checked that we weren’t collecting any personally identifiable information via tracking URLs that might contain a user’s name or email address e.g. /?email=ronan@testdomain.co.nz.

Documentation and Privacy Policy

Once we’d audited and documented all of our tools and processes relating to our collection and storage of user data, we then carefully defined these systems and processes in the context of key questions we needed to cover in our updated Privacy Policy. These questions are at the heart of GDPR compliance and include:

What information is being collected
How we collect this information
Why we collect your information
How we use that information
Who we share or disclose that information to.
How we protect your information.

We then incorporated our answers to these questions into our own Privacy Policy, which we will periodically review and update in respect of changes to our own policies and legal changes.

New Zealand’s existing privacy laws have been deemed to be robust by the EU, but it is very clear that adoption of new GDPR legislation will go far beyond the current New Zealand privacy laws and will place a much greater burden on organisations to comply with privacy protections.

Next Steps:

The new GDPR legislation will mean very different things for different organisations and it is for every individual business to identify potential risks and define the best approach for their own situation.

The GDPR is a very complex piece of legislation and its practical applications are currently untested, so if you think that your business is subject to these new laws it is best to seek out expert advice in the short-term.

If you are in any doubt about whether your situation requires you to comply with the GDPR or if you are concerned that you aren’t currently ready for the new privacy laws, it is best of seek the help of an expert in European privacy law and compliance.

We’ve provided a list of some of the more useful resources and tools below that we used in our own research.