The “biggest shake-up” to European privacy laws in 20 years will take effect next Friday (25 May) as the European Union's General Data Protection Regulation (GDPR) comes into force.

What should New Zealand law firms do to meet compliance – should they need to do so?

All companies and organisations within the scope of GDPR that collect, store or use personal data of EU residents need to comply by this date , or risk penalties of up to €20 million or 4% of global annual turnover.

Compliance is required regardless of whether a company owns the data, or is just a service provider processing data for another company.

The Privacy Commissioner John Edwards says local businesses could be subject to the law if they are “effectively operating in Europe”.

But he says that someone selling Manuka honey from a website in Northland to a customer in The Netherlands and the customers’ data is in the New Zealand businesses’ data base, would not be subject to the GDPR.

Mr Edwards says compliance with the New Zealand Privacy Act “takes you quite a long way in terms of the GDPR and keeps you pretty safe”.

But Hayley Miller, a partner at Kensington Swan specialising in technology and privacy, says that might not be enough for full compliance with GDPR requirements.

“A New Zealand firm that is not (based) in the EU should be making sure that their privacy policies and all of their privacy standards in New Zealand are complied with and I find that there are a lot of firms that haven’t looked at their privacy policies for years. A lot of the cookie statements would now be very out of date. So it’s a really timely reminder to businesses to look at the basic fundamentals of New Zealand privacy laws, says Ms Miller (right)”

She says there are ways that Kiwi businesses can be caught out by the GDPR.

“If your website has EU languages, for example if you have a German or Italian translation, you could come under this law. Also if you are selling goods and have a drop-down box that has prices in an EU currency or if you have lots of testimonials in relation to EU work, or you’re gearing your marketing towards people in the EU.

“You could also be tripped up if you are targeting citizens in the EU in any other way, for example if you are advertising your services on EU sites, such as an ad on The Guardian’s website. It is the business intention that is important and whether it is apparent that an offer to an EU-based data subject was envisaged,” says Ms Miller.

One other thing that might catch NZ businesses unaware and bring them within the scope of GDPR is “monitoring of the behaviour of EU data subjects in so far as their behaviour takes place within the Union”.

“This could include tracking of the individual on the internet especially if you then use this information to target advertising to them,” she says.

Data does not respect national boundaries

MinsterEllisonWattRudds describes the roll out of the GDPR as the biggest shake-up to European data privacy laws in 20 years.

“The aim of the Regulation is to harmonise data protection laws in the European Union, and address fundamental challenges faced by data protection laws as a result of the dramatically different technological environment we are now operating in.

“The majority of New Zealand-based small to medium sized businesses are not likely to fall within the scope of the Regulation.  However, it will apply to New Zealand businesses that operate on a more global scale and/or actively market their goods or services to individuals based in the Union.

“One fundamental challenge for individuals (and their personal data) is that their data no longer respects national boundaries. It is for this reason that one of the most significant changes to the data protection framework is to extend the Regulation’s reach to businesses based outside the Union.

“Although it’s not yet clear how the Union’s enforcement agencies would bring proceedings against a New Zealand based company with no physical or legal presence in the Union, the potential reputational damage for non-compliance could be just as damaging to a business’s profile.”

The firm recommends that any New Zealand business that is subject to the jurisdiction of the Regulation reviews its current levels of compliance; takes immediate action to bring compliance up to the level required under the Regulation; and considers its overall attitude to risk and whether to implement a risk management framework.

The Kensington Swan website says, however, that it isunlikely that EU data protection authorities will have the resources or inclination to pursue SMEs in New Zealand who only collect personal data incidentally in the course of their operations.

“In addition, where a business does not have a physical presence in the EU, it will likely be costly and complicated for GDPR proceedings to be brought against that business, with significant jurisdictional hurdles to overcome.”