3 Steps On Understanding GDPR
So it’s been a few weeks now of everyone discussing GDPR, but people are still confused about what it is and what it means for them? Therefore, we thought we’d write some simple answers, so you can get your head around the GDPR chaos!
Firstly, what is GDPR?
The General Data Protection Regulation (GDPR), is a new law on how companies need to protect EU citizens’ personal data which was implemented on May, 25th 2018.
As of May 25th, if companies choose not to comply with the new GDPR policies, then companies could face stiff penalties and fines.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations, but it also addresses the export of personal data outside the EU and EEA areas. Therefore, if you’re a New Zealand business handling EU citizen data then you will also need to implement some changes to the new policy.
If your a New Zealand business that doesn’t handle EU citizen data, then it still may be a good idea to adopt or just consider some of these new implementations anyways, as it will only be a matter of time before we also get similar laws introduced.
What are the general GDPR requirements?
Quite simply, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
The GDPR itself contains 11 chapters and 91 articles. Some of the more important requirements include:
- Measures need to be put in place, so personal data is prevented from loss or exposure.
- In the event of a data breach, all customers need to be notified within 72 hours; and the specific details of the breach such as the nature of it and the approximate number of data subjects affected must be disclosed.
- Data Protection Impact Assessments will need to be undertaken to identify risks to consumer data.
- Larger organisations may be required to appoint a Data Protection Officer (DPO) especially if data being handled reveals a subject’s genetic data, health, racial or ethnic origin and religious beliefs.
- The Data Retention article limits companies from retaining data beyond a “reasonable” period of time. A reasonable period of time has yet to be defined and retention periods vary from country to country.
- Lastly, you cannot use complicated language through consent forms and privacy policies, as transparency is key.
What does this mean for your business?
If you’re a New Zealand based company that collects or process EU citizens’ personal data, subjecting them to the same requirements is a must and the same penalties as EU-based companies will be applicable; therefore don’t be caught out!
For more information on GDPR, then check out the official portal, https://www.eugdpr.org/