In 2018, an unprecedented new data privacy law took the EU and, by association, the rest of the world by storm. The GDPR (General Data Protection Regulation), in its own words, is described as “the strictest privacy and security law in the world”, and it is safe to say that the impact it has had on the global technology and business sectors has been significant over the past four years.
With more and more New Zealand businesses facing data and security breaches, it also raises the question of whether to focus more on our own data privacy laws and if we can turn around. to other countries for advice.
With the 2020 pandemic initiating an increased online presence across the board, businesses have had even more reason to strengthen their data security systems and protocols, as regulations continue to come with heavier penalties and consequences. in case of violation.
Another important factor is that the laws also cover affiliates, which means that they affect not only the EU market, but also international companies under EU jurisdiction.
Before the pandemic, Google was fined a substantial € 50 million GDPR in 2019, when it failed to make its consumer data processing statements readily available to users. It has also been criticized for mining its users’ data for targeted advertising campaigns without asking for their consent, a trend increasingly apparent as companies seek new ways to expand their market growth.
More recently, in 2020, British Airways was the target of hackers who breached their security and led customers to a fraudulent site that compromised the personal and financial information of around 400,000 people.
These substantial legislative changes have also come at a cost. According to legaljobs.io, it has been reported that 27% of companies have spent more than half a million dollars to comply with the GDPR, and more than 359 million euros in significant fines have already been imposed. That number is expected to grow, with some businesses apparently struggling to keep up with the ever-changing online climate.
Rob Ellis of tech company Thales spoke to the BBC in May 2021, telling them that “when GDPR was first drafted, legislation did not necessarily take into account the adoption of new technologies and the rapid migration to the cloud caused by the pandemic.
“In this age of remote working, businesses had to digitally transform almost overnight just to keep the lights on, without necessarily incorporating security into the design of new systems and processes.”
So if companies are struggling internationally to implement processes, how is it in the New Zealand market?
If New Zealand businesses have a relationship with the EU or are based in the EU, then they must adhere to the rules set out in GDPR 2018, while also following the guidelines of the NZ Privacy Act 2020. That’s a lot of. information from many different places, but luckily the New Zealand government digital website makes it clear that there is likely to be a significant crossover between the two.
With two different sets of rules and a myriad of new technologies and systems to navigate, it’s clear that businesses now need to be more vigilant than ever to keep pace.
University of Auckland business law professor Gehan Gunasekara says companies would be wise to make sure they are familiar with EU laws, and whether companies invest in smart solutions and related education. GDPR, they will then be better protected in the long term.
“If you meet European requirements, then 99.9% of the time you are most likely to meet New Zealand requirements as well. There are subtle differences between the two plans, but for most companies that doesn’t really become an issue. . “
He says the most difficult situations arise when doing business in and with Europe, and this is where companies should carefully consider all the steps necessary to comply with GDPR.
“Say, for example, you are a tour operator and you want to bring Europeans to New Zealand or offer flights to Europe, then you have to comply with GDPR.
“It’s just about being transparent, and a little more than consent. There’s the idea that if you get specific explicit consent, it’s fine, but that’s not how GDPR works.This is kind of how New Zealand’s privacy law works because most things can be agreed upon by consent under New Zealand law, but in GDPR consent no it is not a solid basis on which to base the processing of personal data.
He says that the European GDPR is based on legitimacy of interests and that companies must explicitly explain how they are going to protect their data.
“You have to show that you have a legitimate interest and that the individual’s interest does not prevail. You must also show that you are taking the necessary measures to protect the data. Even if an individual signs some kind of waiver or consent, under GDPR that’s not going to get you out of the woods. “
Another issue raised by Gunasekara is education. He believes that while companies equip the best tools and systems, humans are key to regulating GDPR compliance and should be a key investment.
“The New Zealand Privacy Commissioner can only provide limited help with EU laws.”
Recently this year, Gunasekara and his team at the University of Auckland launched a program specifically aimed at businesses and workers looking to improve their skills in the areas of GDPR and data protection.
“We have a brand new online program called Master of Information Governance which was launched this year. The idea is to train and develop the people who are responsible for privacy, responsible for information and responsible for governance.
“The advantage is that if an organization sent its staff to a program like this, then that staff can train other staff within the organization and so there is a cascading effect.”
When discussing our data privacy regulations relative to the rest of the world, he thinks we’re halfway there when it comes to developed countries.
“Many countries around the world do not yet have privacy regulations in place. I mean, China is the latest country to pass a pretty strict privacy law. Almost every week, another country passes a privacy law.
“We think we’re weak compared to GDPR, but even compared to Australia for example, where small businesses aren’t covered, New Zealand has a good one-size-fits-all law that’s relatively easy to understand. “
When asked what companies should do to prepare for GDPR compliance, as well as education, Gunasekara stressed the need for a company-wide approach, with all employees. doing their part to protect data.
“There really is no excuse for companies not to get up to speed, and it can’t be something that can only be dedicated to a compliance officer or a privacy officer. It requires a holistic approach to the business. This needs to be understood at the board and CEO level and there are cost implications, but the costs of privacy failures would be higher. “
With new privacy laws appearing every day and a vast majority of businesses around the world regularly subject to data breaches, it’s clear that data privacy is not something businesses should sweep under. the carpet. GDPR and privacy laws are there to protect businesses and consumers, not hinder them, so it’s in their best interests to make sure they’re up to date.
Do we need a brand new state-regulated, New Zealand-specific GDPR? It may be too early to tell. With so many of these new laws around the world in their infancy, their full effect has not been revealed.
With notable fines and the focus on improving secure technology, we’ve seen many companies get bitten and others learning from their mistakes, so this can be an early indicator of change. However, it is clear that the European GDPR is a historic initiative that New Zealand and the rest of the world should follow closely.