Data, privacy and GDPR (General Data Protection Regulation) are such a hot topics right now it is sometimes hard to keep up.
So in this video, Peter Rogers, founder of Mango, interviews Amy Ryburn and Alexandra Chapman from Buddle Findlay.
Amy and Alexandra clarify how global organisations have been affected since GDPR was enforced in May 2018.
What has been the impact of GDPR in the UK and Europe?
I think it’s been threefold.
1. Hefty Fines
I mean obviously there’s been some fines – we’ll talk about that in a minute - but that’s obviously its made some people quite scared and worried about ensuring their compliant because the fines can be pretty hefty.
2. Takes Effort
More importantly than that, I think, obviously becoming compliant with the GDPR requires quite a bit of effort, and as part of that effort, I guess, it really increased organisations focus on good internal controls and data security.
3. Identifying Data
Actually, identifying what data they had in the first place, which I don’t even think all organisations were necessarily good at, actually knowing what they held and what they got it from.
I think right across the board, organisations, it’s just become much more top of mind, much more an issue that would be considered at the board, as being really critical than perhaps was the case before the GDPR was enacted.
The flip of that is, I think, that the consumers and individuals are becoming much more savvy and aware of their rights. I think, in the UK the complaints have almost doubled since the GDPR came into force. So, from that perspective, you’ve got organisations becoming a lot more aware of their responsibilities but individuals becoming much more aware of their rights, so it’s just become a much bigger deal than perhaps it was treated in the past.
What has been the impact of GDPR in the USA?
Most of the privacy laws are state by state, so, it’s very different and there’s not sort of one approach, like there is with Europe, they’ve got the GDPR and that covers all the European nations within the European Union.
I think the area that is most evident is in California. They’ve recently had a comprehensive privacy bill brought in. I think that came in June or July, that got passed into an Act, and that’s similar to the GDPR in that it’s very broad and very wide reaching, but there’s not one really coherent approach.
If you look on it on a state by state basis, some states don’t have really anything in the privacy space. Then you have some states that have really comprehensive legislation.
So, it is quite difficult to give an overall position but, the trend seems to be moving towards more of a GDPR type model.
Yeah, it’ll be quite interesting to see how that works, particularly - I’m not sure how familiar you are with the process of sharing information between the US and the European Union.
At the moment they have what’s called the privacy shield. Companies in the US can self-certify and say we have equivalent protections to the privacy laws in the European Union, and on that basis, companies can share information easily. But that’s actually subject to a legal challenge at the moment, it’s the second time it’s been challenged, and if that doesn’t get upheld, then it will be quite interesting to see what happens there because obviously there’s a lot of businesses who are both in the US and Europe who are relying on the that to share information. If that doesn’t get upheld, then there will have to be some serious changes somewhere in terms of how data issued between the European Union and the US.
Are smaller companies getting fined for not following the GDPR regulations?
The examples I can think of, in the UK in particular, and this comes up quite a bit as you mentioned earlier about getting those emails that you haven’t signed up to or once you’ve withdrawn your consent and someone is still marketing to you.
It’s quite common to see fines for small businesses and there’s a £100,000 or £200,000 level for those types of breaches.
For example, the recent British Airways fine was for £190,000,000, but then it’s a massive spectrum because at the other end they do have these low-level breaches that they are constantly picking up and churning through. That’s continuing with the GDPR as well, it’s not just your big-name companies, it’s also the small operations of a car dealership might get stung as well, the quantum of the fine might not be the same but it’s still a percentage of their turnover.
The big fines get all the media attention, you know the one for British Airways, the one for Marriot Hotels, there was a lot of articles in the press about that, which might make you think that those are the only companies that any of the regulators are interested in, but that’s not the case.
You don’t find British Airways today got fined blah blah blah and John Smith and Son Ltd had 5 employees fined £500, its not going on the same news is it? No, but actually from an impact thing, it can have a really big impact on a small business. From a reputational perspective as well if you’re getting stung with that.
What are the top 5 things NZ Companies should know about the GDPR?
1. Extraterritoriality
To your point before, I think the first thing that people understand it that it has extra territorial reach. Just because you’re in New Zealand doesn’t mean that you can assume that the GDPR doesn’t apply to you.
That said, I think that sometimes people have become a bit worried and assumed that simply because they have, for example, a website that can be accessed from overseas, that somehow, they’ve got to be GDPR compliant and we don’t think that that is the case.
Really, at a high level its where you either have an establishment in the EU that's somehow involved processing personal data in the EU or you target individuals in the EU in some way, by targeting the sale of goods or services to customers in the EU or maybe monitoring the behaviour of customers in the EU. That could include behavioural advertising, using cookies for example, might be captured. But simply having a website that might be accessible from a European jurisdiction doesn’t put you in the frame automatically.
2. Contractual
I guess the second way in which you can become subject to the GDPR when you’re in New Zealand and that’s not by legislation, it’s by contract. For all those companies out there who are processing on behalf of, or for European entities, you can become a "Processor" under the GDPR and often times you will see that reflected in the contract terms that you will be required to sign up for with "Controllers" who are based in the EU.
Increasingly, we are seeing our clients be presented with terms from European based entities that use all the language of the GDPR in those terms and that requires some upskilling and some education, so that they understand:
- “What are these concepts of Processes and Controllers?”
- "What do I actually have to do?"
- "What are these terms requiring of me and how can I comply, because I wouldn’t otherwise be subject to these except for the fact that I am contractually bound to adhere to them?"
3. Compliance with Privacy Act is NOT Compliance with GDPR
I think the understanding that compliance with the Privacy Act is not compliance with the GDPR, they’re not the same thing.
The GDPR is a higher standard and is much more prescriptive and so you can’t assume that just because you are compliant with the Privacy Act, that if you are indeed subject to the GDPR you are automatically compliant with the GDPR because that may well not be the case.
4. Understand Your Data
I think understanding personal data under the GDPR is really broad, it could just be IP addresses, things that people might not necessarily immediately identify as being personal information, but could in some sense be identifiable with an individual.
The basic step is understanding your data, it’s understanding:
- What data do I hold?
- Where did it come from?
- Did I get it subject to any consent?
- Are there any consents in place?
- And what do they say?
- What am I now doing with it?
- What is the purpose for which I hold it?
- How long will I hold it for?
5. Privacy Officer
Separately, the other key step that people could take, as well as getting any advice about whether any of their activities will put them within the GDPR or not, is just the good practice of having someone in your organisation who is in charge of privacy.
Privacy officers are required in the Privacy Act anyway, and the GDPR requires you to have someone who is responsible in your organisation.
I just think its really good practice anyway, to have somebody whose job it is to understand what you have and what your doing, but also whose job it is to stay current with what the law is doing and what best practice in that area is.
If you do those two things, identifying what data you have and how you’re using it and make it somebody’s job to look after that, then your probably going a good way forward in terms of making sure that if at any point you do need to be compliant when perhaps your not, you’re steps ahead of everybody else.
What can organisations do to ensure they have permission to move data into their system?
A lot of it depends on where you think the data’s come from, because I think the position under the GDPR will be different to the position under the Privacy Act.
You can have some protections and that in terms of your contract, and presumably, the contract you have with your customer has some commitments from you, in terms of what you’ll be doing with the data from a security perspective. But also, I would normally have thought, in that situation, that you might try and get some warranties from them about their rights to share the data with you, to the extent that there was any risk in terms of its got personal information or personal data.
Also get some indemnities if you can get them, because you don’t want to be exposed to any claims.
For example if the GDPR applies, you don’t want to be subject to claims from the underlying data subject. If it’s a European data subject then they could potentially have a claim against you so, I would normally try and put in some indemnity protection for you there. In any event you will still have some responsibilities under the Privacy Act in terms of how you treat that data.
Regardless of what laws apply and what jurisdiction we’re talking about, there’s reputational things to be considered here, because, I think around the world, individuals are becoming much more interested in how their data is being used and by whom and so I think you’re entitled to be worried about your reputation and say “actually, its really important to me that I know that the data that I’m receiving and I am treating, that it was obtained legally.” And I guess, short of doing detailed due diligence into the process by which that data was obtained, and you know, sometimes, you just don’t have the time or the cost or the wherewithal to be able to do that, asking for contractual protection, asking for a warranty, an indemnity is a really good way of flushing those issues out, because if they go to their own lawyer and say “this person’s asking me to give them a warranty or asking me to give them indemnity then their lawyer, if they’re worth their salt, will be saying “Well are you sure you’ve got these protections in place?, because if you don’t have consents then we might be liable.”
It can spark conversations within their own organisation about whether they’re actually doing the right thing. Sometimes, asking for legal clauses can be a really good way of flushing out problems
What if the API was going both ways? How do I know that party is going to be ethical?
Yeah, well in that sense it would be wise to ask for the same protection from you.
The best way to do that would be describing in a contract, the scope of how each of you can use the data that both of you have received from the other party so it’s a real clear description of what the data is and how you’re going to be using it. Then get the part who collected the data or who it came from to, in each case, warrant that the consents they have in place are wide enough for that data to
A) be shared and
B) to be used within the scope that’s defined in the contract.
Are there organisations that can do a GDPR audit and get certified to GDPR?
Under the GDPR there’s scope to have certifications to say that your business is GDPR compliant, but at the moment no such certification exists so, its very early days still.
You could have an audit done by a service provider, and I think if you were going to pursue that route you’d probably want to look at a European based auditor, but it would be very expensive and it would take a lot of time, and I think, as Amy touched on earlier, the first step would probably be making a decision as to whether or not you think your actually subject to the GDPR.
Then secondly the risk, even if you are subject to it, what’s the risk of someone ever actually coming and knocking. But, yes you can have certifications done, you can have someone come through and go through and see how robust all your procedures are, and there are various information specialists in New Zealand who could certainly help with that, but in terms of a formal certification for your business as a whole, at the moment that’s still a procedure that hasn’t been rolled out as yet.
Takeaways
- Impact of GDPR
- Hefty fines
- Takes a lot of effort
- Identify your data
- Top 5 things to know to be compliant with GDPR
- Extraterritoriality
- Contractual obligations
- Compliance with Privacy Act is NOT Compliance with GDPR
- Understand Your Data
- Privacy Officer