The need for better data protection has resulted in the biggest data law change being introduced - the General Data Protection Regulation. Christine Allen talks to the service providers shining a light on how the European law is set to impact Northland's businesses.

If you've been wondering why you've been getting notifications from all and sundry about their updated privacy policies – you can look to the General Data Protection Regulation (GDPR) which was introduced on May 25 as a law to protect the data and privacy of European citizens.

However, as the internet has a global reach, this impacts any business in Northland which offers products and services online and collects the private data of European citizens.
Google Analytics is one example of a programme which sees Northland businesses collect data from website users.

"If you have a European citizen visit your website, you need to be in line with GDPR requirements," said Teresa Watkins, director of Whangarei-based web designers and hosts Monster Graphics.


"And if you think it's as simple as uninstalling Google Analytics to save you the hassle, think again because if you have a contact form on your website, a newsletter sign-up, a booking system or are selling items online – this is all governed by the GDPR and you will need to make some updates to your website," said Watkins.

She said the data is as simple as a person's name, phone number, e-mail address, IP address, location data or photos.

"Even if your data management is looked after by a third party such as a CRM system or Mail Chimp, you are still liable for this."

How to comply
In extreme cases, failure to comply with the EU law could result in fines of up to $20 million, or 4 per cent of annual global business turnover, for Kiwi businesses.

Watkins said Northland businesses will first have to add or update a privacy policy on their website and place it in a visible location there.

"You might want to contact a lawyer for this or use tools you find on the internet to help you generate one. It will need to fully disclose what you are doing with website users' data."

Websites will also need an additional alert to inform website visitors and users that you are using cookies, which store the data.

She said many businesses will need to upgrade their security certificates to https also.

Watkins said the best way to get inline with the GDPR is to consider your entire website user experience, taking in contact forms, newsletter sign-up (MailChimp), e-commerce pages (check-out), accommodation websites (booking system), Google AdWords, Facebook, brochure/catalogue downloads, memberships and CRM Systems.

"We are still looking into compliance around third party site policies, such as Mailchimp.

"Your website host will take care of the technical side of things and upload new pages and add the cookie alerts."

She said adding cookie alerts would cost less than $100 but upgrading to https could cost between $200 and $300.

"It remains to be seen how the GDPR will be policed, and compliance will be monitored, but I suspect that non-compliant sites will be penalised in some way."

Good practice
Richard Anstice, commercial lawyer at Regent Law in Whangarei, said the GDPR is a big law with heaps of rules which Northland businesses which sell goods or services to people in the EU or monitors the online behaviour of people in the EU, will need to comply with.

"Hacks and other data breaches are on the rise. We all know about people being scammed, having accounts hacked. Good practice for data security and privacy are necessary to manage risks and to get insurance.

"Compliance with NZ privacy laws also matter. The EU considers New Zealand's privacy rules are 'adequate'… this enables sharing of information with NZ businesses."

Anstice said each EU member had a supervising authority which was broadly similar to the NZ Privacy Commissioner.

"But a central European Data Protection Board will co-ordinate these [laws]."

Non-compliance, he said, could result in fines or difficulties exporting to the EU.

Anstice said business owners needed to be proactive in assessing their need to comply.

"Now is the time to check compliance with NZ privacy law, and to assess whether a business is directly exposed to the GDPR.

"…assess your compliance with New Zealand privacy laws… give your business a privacy health check."

He said if you discover you are collecting data from the EU, get legal and IT advice around complying with the GDPR.

"Nobody likes extra compliance. But, if we are trading well internationally, GDPR compliance can be a good problem to have."

He said it was an opportunity to grow our brands by "being the best at looking after our customers' personal information".