Privacy Laws Get Tough: What NZ companies need to know

May 25. If the date doesn’t mean anything to you, it should.

Next month, new EU privacy laws (known as GDPR, or General Data Protection Regulation), come into force. And, yes, many New Zealand companies will be affected — even those that do not have offices in the EU. Yours maybe.

What’s attracted headlines is the enormity of the fines that companies face for non-compliance: four percent of global revenue or €20 million (whichever is the higher).

While these are hefty fines, indications are that any fines will only be imposed after attempts to enforce compliance, where an offending company continues to demonstrate lack of accountability and violations remain unresolved.

Perhaps the biggest change from current EU privacy legislation, however, is that the new laws aim to protect EEA (European Economic Area) citizens globally, no matter where they are physically located. (The EEA includes EU member states plus Iceland, Liechtenstein, and Norway.)

Okay, so what do we need to do?

New Zealand companies need to assess to what extent GDPR laws are applicable to them, know what data they are collecting and what they are doing with it.

If your company has offices or operations in the EU you will need to be GDPR-compliant. NZ companies that have no EU presence but are marketing their goods and services to EEA citizens, and making use of their personal data, will also be affected.

Personal data? That’s anything that can be used to identify an individual such as their name, address, location, IP address and cookie data.

Many local companies have websites that may be visited by EEA citizens, but they do not explicitly target EEA citizens. That is, their websites do not have European prices or languages, excepting English. Legal opinion is that they are not required to be GDPR-compliant.

If you have any uncertainty as to whether or not your business is affected and don’t know what changes you need to make, you should seek professional legal advice.

What Google is doing

Google’s role varies. It is a data controller (for products and services like Google AdWords, Google Customer Reviews, and G Suite). But it is also a data processor (Google Analytics, Google Data Studio, Google Tag Manager, Google Optimize, Google Attribution…).

Google stores customer information (yours and your customers), but it also enables processing (such as segmentation and analysis) of customer data.

It has been about a year now since GDPR was approved, and Google (like many other companies with similar roles and obligations) has been busy.

Just this past week Google emailed its Google Analytics and Analytics 360 customers, advising that they need to take action in setting exactly how long Google should retain their data. If you didn’t see the email, you can still follow up on the actions required.

There’s more to come, as Google plays its role in helping marketers to be GDPR-compliant.

Beyond GDPR - Prepare for stricter privacy laws

Should New Zealand companies adopt stricter EU data privacy standards, applying it to all users and customers even where NZ laws don’t require it?

We say “yes”. Because the times, as Dylan once sang, are a-changin’.

Consumers have become more concerned about the security of their data, following large-scale data breaches (many of them only coming to light long after their occurrence). And the Cambridge Analytics-Facebook scandal has opened eyes as to how much personal data companies may possess and make use of (including, in Facebook’s case, the content of personal messages).

Assuming you are not in breach of current NZ Privacy Law, however, you will already be compliant with many GDPR requirements.

Three things to remember

  • Be upfront with your customers.
  • Earn their trust by advising them in clear language of what data you collect, what you do with it and how it benefits them.
  • And make sure that their consent is always opt-in and freely given.

Further Reading

About the Author Jeremy Templer

Jeremy is a Partner and Senior Consultant at SureFire. Jeremy has been working in search since 1996, when he joined the Australian search engine, LookSmart. After relocating to San Francisco, he was instrumental in the development of the company’s paid search ad platform. At analytics company Coremetrics (now owned by IBM) he established an in-house search agency managing campaigns for Coremetrics clients such as Macy’s, Bass Pro and Lands End. At Acxiom he managed members of the pioneering SEO firm Marketleap and worked with clients such as Capital One, American General Finance and Kaiser Health. Joining SureFire in 2009, he is the head of Paid Search Advertising and oversees the delivery of AdWords and other PPC campaigns. He also helps clients make sense of their website data.