What is the GDPR and how will it affect NZ businesses?

GDPR Privacy PolicyIf you’ve noticed a flood of emails in recent weeks touting business’s privacy policy updates, it’s the GDPR that you have to thank.

But what is GDPR and how will it impact your business here in New Zealand?

What is GDPR?

GDPR stands for ‘General Data Protection Regulation’. It’s a new European law to do with the management of how businesses process and handle data, and it takes effect on May 25th 2018.

There are six key principles of GDPR that pertain to the collection of customer data through your website or email marketing:

Transparency

You must explain to your customers how their data will be used

Honesty

Only use data for the purposes specified at the time of its collection

Limits

Only collect data that is necessary for the purpose you specify

Accuracy

Make sure any and all data is accurate

Storage

Only store data for as long as necessary for the intended purpose

Protection

Actively protect the loss or theft of data in a proactive way

Note: You will need to be able to show that you are in compliance with these regulations on demand and how you comply.

Who does GDPR apply to?

The GDPR applies to any individual or business who does business with people in Europe.

This does not require an exchange of money.

For example, if you are a tourism business in New Zealand but store the contact details of a European customer, you must comply.

If you have an email list and any of your subscribers are in Europe, you must comply.

This specifically applies to any business whether inside or outside of the EU who markets services or products to EU citizens.

This basically means GDPR applies to any business.

  1. These are the 5 key points that companies need to understand:
  2. Your customers have the right to ask you about the use, storage and reasons for use of any of their personal data
  3. They also have the right to access it at any time by asking you for a copy of all information you have about them on file
  4. They have the right to rectify or request to correct any information stored or used by your business
  5. Their right to erasure means that any person your hold data for has the right to ask for it to be erased from your system
  6. People can unsubscribe at any time from your communications or emails by exercising their right to object.

What are the key things you will need to do?

All data that you are using or planning to use for marketing will now need consent from the customer.
You will need keep track of when this consent was given and know that this consent will expire.

Consent must be regularly updated. This can be achieved by sending out an email to your subscribers, confirming that they still want to be part of your mailing list.

Customers have now have to to ‘opt-in’ to a mailing list.

How does this differ from current practices?

Currently a many email subscriber forms have the ‘opt-in’ box prefilled and a customer can untick if they do not want to receive regular emails or promotions. For the new laws, this box must remain unticked. To opt-in, this box must be checked by the subscriber.

So, moving forward, to be compliant, you will need to keep records of your updated customer list, noting how they opted in and when.

Remember: You may be required to prove you have done this on-demand.

Summary

It may seem daunting to suddenly be subjected to these regulations, particularly considering that the EU is on the other side of the world, but ultimately, these regulations are for the greater good and provide a real opportunity to demonstrate goodwill and build a whole new level of trust with your subscribers.
The fact that the law has not yet reached NZ shows your subscribers that you genuinely care about their privacy and are taking active steps to protect their data.
Additionally, when these regulations are inevitably written for Australia and NZ, you’ll already be ahead of it.

Disclaimer: This post is for information purposes only and should not be used as a guide, or legal advice, pertaining to the GDPR and becoming compliant. Rather it provides background information on what the GDPR is and how it may affect you. Please seek legal advice if needed.

Leave a Reply