The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and represents a big change to current EU data protection laws.
The GDPR expands the territorial reach of EU data protection laws and New Zealand businesses that process personal data of individuals in the EU will have to comply with the new laws. For the purposes of the GDPR, processing means any operation which is performed on personal data such as collection, recording, organisation, storage, use, disclosure or erasure.
The GDPR will apply to your business if:
The GDPR applies to the processing of personal data by both data controllers (organisations who exercise overall control of personal data and determine why and how that personal data is processed – if your business collects personal data about EU individuals for its business use, you’re likely to be a data controller) and data processors (organisations which process personal data on behalf of a data controller e.g. an outsourced cloud service provider such as Azure or Amazon Web Services).
The GDPR comes with large fines for non-compliance. Businesses can be fined up to 20 million euros, or 4% of global revenue, for serious contraventions of the GDRP (which is 30 times more than the current maximum fine for an offence under NZ privacy law).
If the GDPR applies to your business, it is likely that you will need to update your privacy processes and policies to comply with the new law. Some of the requirements of the GDPR that are more onerous than those under New Zealand privacy law include:
The full text of the GDPR is available here.
We will dive into the detail of the GDPR over the next few weeks, including providing some tips to help with your journey to GDPR compliance, so stay tuned for our next blogs.
If so then you may prefer kindrik.sg