By James Butcher (Group Digital Business Director)
The General Data Protection Rules (GDPR) is one of the first major legislative attempts to regulate the World Wide Web (or, perhaps more accurately, the Wild West Web). While the GDPR is EU-based legislation, its impact will be felt globally from May 25th. In effect, the GDPR makes it illegal for businesses to use EU citizens’ data without proper basis or consent. It classifies anonymous identifiers (like cookies and device IDs) as personally identifiable information, and applies any time an EU citizen accesses your website. This broad scope means that some New Zealand-based organisations will need to review their data processing processes, or else risk the significant fine for non-compliance – a penalty of up to €20 million, or 4% of global annual turnover (whichever is higher). Any New Zealand organisations that utilise web tracking or profiling of EU citizens will fall into the ambit of the GDPR.
This is a significant step for EU lawmakers to take, but it is a step in the right direction. This legislation will introduce more control and transparency for the consumer, while also holding publishers, vendors and advertisers accountable for data protection. As they begin working towards compliance, New Zealand businesses have the perfect opportunity to start thinking about how they collect and process user data.
Here are some immediate steps or actions brands should be taking or thinking about in the lead-up to May 25th:
Remember, the GDPR’s definition of personal data has broadened to include more than just personally identifiable information. It covers everything from names, photos, email addresses and employment details to interactions on social media and IP addresses. Don’t assume that unique identifiers like cookie IDs or advertising IDs are just ‘anonymous’ data!
Organisations now need to justify their collection of personal data – in digital advertising, the most common justifications include ‘consent’ and for ‘legitimate interest’.
Consent has to be freely given, specific, informed and unambiguous. Under the GDPR, silence, pre-ticked boxes or inactivity are not valid forms of consent!
No longer will long-winded, technically-worded privacy statements suffice; your notice now has to be concise, easily accessible and written in clear and plain language. It also has to explain the legal basis you are collecting personal data under. For instance, personal data that has been collected to perform a sale of goods contract cannot later be used for marketing, unless the person has specifically agreed to receive promotional offers.
Under the GDPR, a user can request to access, opt-out, restrict or erase their data – and more.
From speaking to local businesses and publishers, there is a sense that New Zealand organisations are not aware, nor fully prepared for the impact these changes will have on them. As a popular holiday destination for EU citizens, there is a high likelihood your business engages with EU citizens on a regular basis – and therefore, you must take steps to ensure your business’ data processes are compliant with GDPR. This is not a one-off task, but rather an ongoing process – your business polices and processes need to reflect this.
Following the recent controversies which have come to light around user data misuse (Cambridge Analytica being one), rebuilding trust, transparency and accountability with consumers and their privacy is essential. The basic premise of the GDPR is that people should be able to control their data and determine when, how and for what purpose personal information about them is being held and used – which, from my perspective, is also good practice for how New Zealand businesses should be thinking about how they process Kiwi’s data as well.