Another day, another morning scroll through the world’s current events, most of which are dedicated to that GD…EU internet thing. You have a feeling it’s probably pretty important, but the jargon-filled, lengthy articles always look so intimidating.
Well for the business savvy and constitutionally clueless, here’s the 101 lowdown on the GDPR; what it is, who it effects and how it’s changing the data game.
What is changing?
The General Data Protection Regulation has officially gone live in the EU in a move to improve data security and protect citizens from unconsented data collection and tracking.
Replacing the 1995 EU Data Protection Directive, the GDPR will work to standardise and simplify data security for individual residents in three key ways.
1. Going Global
The traditional DPD regulated ‘data controllers’ (companies who held personal information on their users) established in the EU or who processed the data using EU-situated equipment. However, the GDPR will have a far more global reach as it applies not just to the businesses operating in the EU but those who monitor or sell goods and services to Union citizens.
2. It’s all about consent
The GDPR will also be cracking down on the ambiguous ideas around consent. While previously companies could play the ‘how much information can we trick out of you’ game, the new legislation will demand that they have explicit consent from users to have personal information. Think of this as the reason your inbox has been spammed by every organisation you’ve given your email address to, who is asking you re-opt into their marketing.
3. Open access
In order to be GDPR compliant, all companies will need internal structures that enable them to securely respond to data requests by users. In simple speak, if the recipient of a marketing email wants to know every piece of information that company has about them, they have a right to know within 30 days of placing a request. If they don’t like what the organisation knows, they can then request that any and all data be permanently deleted.
What does this mean for me?
The legislation may be a European one but its structure gives a good reason for New Zealand companies to care. See, unlike the old data regulations, this one isn’t targeted at European businesses, but citizens as well. So, whether you’re based in Austria or Auckland, if you have data about EU residents then you’ve got to play by the new GDPR rules.
‘But wait’, you say, ‘I only collect data from people who visit my physical store! I’m safe!’. Well, it’s not always that simple. According to the GDPR, it doesn’t matter where the individual is when they supply the data, only where they end up living. Imagine an Italian tourist visited New Zealand, filled out their email address and signed up to your company newsletter in return for free WiFi. Even though they were outside the Union at the time, the moment they return to the EU and receive online marketing emails, they have the right to invoke a GDPR complaint. Making a complaint sounds lame until you learn that this could cost you €20 Million. Per complaint.
Essentially, the new rules aren’t about your physical location but the location of your ‘data subjects’; the people whose details you have or behaviour you monitor.
The GDPR may only mention ‘cookies’ once but it seems like once is enough to make it something to be aware of too. To save you having to translate legal speak, section 30 states that when the browsing data collected by an organisation could identify the user it belongs to, it is considered personal data. Now, not all cookies could identify a user but most can, making it subject to the GDPR rules of consent.
So, in order to keep their precious cookies, companies will now have to prove they have legal grounds to collect and process them. As it turns out, this means that three of the most common tactics are no longer legal according to the Cookie Law (yes, that is an actual statute).
- Implied consent: If a user visits a website, this isn’t enough to constitute consent.
- Accept Cookie Pop-up: For the same reason, those ‘by using this site you accept cookies’ memos aren’t sufficient as there is no opportunity to accept or reject.
- ‘Opt-in’ but no ‘Opt-out’: Your users have given consent (hurrah!), however, to stay above the law, you have to provide a preferences page where they can withdraw or edit their level of consent.
How do I stay safe?
According to New Zealand Marketing Association CEO Tony Mitchell, no one is totally certain how the regulations will be enforced internationally, but it’s smart to be safe.
“I would be suggesting to businesses if they do have information on EU citizens, and they are using or storing that information, that they review the GDPR standards online and make sure that they are in line,” says Mitchell.
The CEO said any companies who were uncertain could also turn to third-party auditors to confirm whether the data they hold is legal and if their systems are capable of providing individuals secure access to their own data.
With 250 pages to it, the GDPR legislation is a bit of a beast, one which has been described as ‘incomprehensible’ by the very companies that it applies to. However, Mitchell says it has already become hugely influential in prompting other countries to review their own regulations.
“Data regulations will continue to evolve,” he said, “GDPR is already having a knock-on effect in New Zealand.”
As for whether you should freak out over the dramatic opinion pieces and threat of $200,000 fines, Mitchell said it wouldn’t be changing much for Kiwi companies due to our own strict data policies.
“New Zealand companies already have very good standards. GDPR does go a bit further but most companies are well on their way.”