For many in the marketing and retail industries, GDPR is a daunting acronym that fills them with dread, although for those whose policies, protocols and procedures are already in line with best practice the GDPR represents an opportunity to distinguish themselves as committed to the fair treatment of an individual’s digital footprint.

It may come as a surprise that the GDPR will affect New Zealand businesses – from Taupo to Timaru – due to its extra-territorial application. Even for those businesses that aren’t directly subject to the new regime, the implications of the GDPR will be felt far and wide; as the changes introduced in Europe are to be (in part) replicated in New Zealand, and as consumers worldwide become more attuned to how their personal data is used and abused in light of recent global scandals.

The GDPR will be the pre-eminent global regime with respect to the processing and free movement of personal data, and with the introduction of this new regime comes a myriad of regulatory and compliance obligations for any organisation which relies on or benefits from the use of personal data in the course of their business and is subject to the GDPR’s jurisdictional reach.

Many organisations will benefit from a ‘deep dive’ which investigates from whom and from where they obtain that data; how they use it; and whether and to what extent they need to comply. With that in mind – and before jumping off the highest platform – New Zealand businesses and most critically their marketing professionals should consider the following five key points regarding the GDPR:

1. The GDPR may not apply to you

The good news for some NZ businesses is that the GDPR won’t apply to them. Businesses with a uniquely Antipodean focus are unlikely to fall directly under the scope of the GDPR.

The bad news is that it won’t take much to bring a business within the ‘net’ of the GDPR – especially a business with an online presence that is engaged in the marketing of goods and services.

The GDPR applies to the ‘processing’ of personal data of data subjects (in other words, individuals) who are physically located in the EU – regardless of their citizenship – by a ‘controller’ or ‘processor’ who is not situated in the EU, where the processing activities are related to:

  • the offering of goods or services to data subjects in the EU; or
  • the monitoring of their behaviour as far as their behaviour takes place within the EU.

In many cases, it will be obvious to a New Zealand business that it falls within the scope of the GDPR: for example, if it is marketing goods or services using a campaign that specifically targets EU-based individuals.

But even campaigns that don’t obviously target EU-based individuals may still be caught. The recitals to the GDPR suggest that offering a consumer the ability to pay in a currency used in the EU could suffice; even the use of a language used in the EU (but not elsewhere) could bring the offeror within the GDPR’s jurisdiction.

An example could be a tourism operator who tailors its marketing campaign to a German audience by including German text in its communications: not the most obvious target for regulation under EU law but caught nonetheless.

2. Don’t let your cookies crumble

The ‘monitoring’ of the behaviour of website users is particularly likely to trap businesses unaware. Even the use of fairly basic cookies on a website not targeting EU users – but attracting visitors from the EU nonetheless – could technically bring the publisher of the site within the clutches of the GDPR.

Accordingly, NZ businesses may want to consider whether it is appropriate for the information collected by their cookies to be truly anonymised (so that it is not ‘personal data’), or whether appropriate geo-blocking technology can be employed to ensure that no personal data is collected in respect of users of the site from within the EU.

Businesses that are caught by the GDPR’s net will need to remember that information collected through the use of cookies must be treated like any other personal data. This means, among other things, that they will need to establish a legitimate basis for processing the data collected – for example, the website user’s explicit consent (obtained by way of a cookie banner or similar) – and also that they will need to ensure that the way in which that data is to be used, and to whom it is to be disclosed, is clearly communicated to website users in a privacy policy that is ‘concise, transparent, intelligible and easily accessible’.

That’s not all. Since the business will be a ‘controller’ of the data collected, the full gamut of the GDPR’s provisions will apply – with all of the regulatory and compliance burden that entails.

3. Your current opt-ins might need to ‘harden up’

You have probably started receiving a barrage of emails from EU-based marketers, asking you to confirm that you still consent to receive email communications from them in advance of the introduction of the GDPR on 25 May. In short, these marketers are asking you to ‘harden up’ your previous ‘opt-in’, to create a clear audit trail that you’ve expressly consented (a ‘hard opt-in’) to the use of your personal data for the purposes of receiving marketing communications.

If you’re running an email campaign that targets EU-based recipients, you’ll need to think about whether you have a legitimate basis to use their contact details to send them that campaign. In almost all cases, you’ll be relying on consent. If consent has not previously been obtained – or even if it has, but the consent was not obtained in an adequately ‘granular’ (read: detailed) manner, or if the consent was not freely given (that is, the individual had a valid free choice to consent: it wasn’t a condition for the receipt of a product or service) – then you will need to reconsider whether you should be marketing to that individual. If you’ve been relying on a ‘soft opt-in’ (that is, follow-up communications to existing customers) you’ll need to be careful: the upcoming EU ePrivacy Regulation is likely to further narrow the circumstances in which such communications are permitted.

The time is probably right to start auditing your email databases and confirming who has consented to what and in what circumstances. It is certainly an opportune time to address how you will obtain consent in the future: in the case of distribution lists, you won't be able to rely on a pre-ticked box, silence or inactivity; and the consent will need to be ‘freely-given, specific and unambiguous'. A non-tailored, scatter-gun approach is unlikely to meet the GDPR's high standard.

4. The consequences of getting it wrong are significant

The maximum penalty for a failure to comply with certain key provisions of the GDPR is the higher of €20m or 4% of ‘global’ turnover (‘global’ turnover isn’t defined, but it is anticipated to mean turnover of the wider group of the infringing organisation). Whichever way you look at it, that is a substantial incentive to comply. The new regime promotes data protection fines into the same league as fines doled out by European competition authorities for breaches of competition laws.

That said, it is only for the most egregious of breaches that a fine of that nature is likely to be levied. It is likely that European competition law authorities will have bigger fish to fry than SMEs in Napier or New Plymouth – leaving aside the practical difficulties of trying to enforce a European regulatory fine against an organisation without any physical presence in the EU.

However, that’s not to say that New Zealand businesses should take a blasé attitude to compliance, in particular, if they do have a significant European customer base. GDPR and the protection of personal data is top-of-mind for many European customers, and they may be unwilling to engage with overseas organisations in circumstances where they are not comfortable that their personal data will be given a similar level of protection to the level of protection afforded them by the GDPR, using concepts and terminology with which they are familiar.

5. It won’t happen overnight, but it will happen

Of course, NZ businesses who do comply with the GDPR – or at least go as far as they can practically do to mimic the European model of treating personal data – will hold themselves in very good stead insofar as compliance with NZ privacy laws is concerned. Those who don't yet reach those levels of compliance could do worse than to look to the EU as an indication of where NZ’s privacy laws are heading.

The recent Privacy Bill introduced into the NZ parliament will seek to bring in increased fines for non-compliance; mandatory data breach notifications; increased scrutiny on transfers of personal data overseas; and strengthened information-gathering powers for the Privacy Commissioner. All of these changes will have the effect of bringing NZ’s privacy laws closer to the GDPR; but also a regime closer to home – that in Australia, which has also recently introduced higher fines and mandatory data breach notifications.

What does this mean for NZ businesses?

We recommend that New Zealand businesses take some time to understand whether the GDPR applies to them. The reputational damage that can be wrought from a failure to comply with data protection law – regardless of the regulatory sanctions that might be imposed – can wreak havoc on a business.
The cost of fully complying with the GDPR is likely to be a not-insignificant burden on SMEs and may cause some businesses to reconsider their approach in Europe.

However, an ability to comply with the GDPR is a clear statement from a business that it takes privacy matters seriously. It is an indication to consumers that the business is one which they can trust with their personal information.

Since New Zealand law is likely to follow – at least in part – the GDPR regime, the sooner that New Zealand businesses prepare for the introduction of more robust privacy requirements, the better-placed they will be to respond and adapt to a global environment where the protection of personal information – especially online – is becoming more and more pertinent.