GDPR – what’s the problem?

Revera’s Daniel Parsons on GDPR and why there’s not much to worry about.

New European Union (EU) privacy laws known as General Data Protection Regulation (GDPR) are now in effect, impacting organisations that handle personal data of anyone residing in the EU.

Sounds scary, but most New Zealand businesses don’t have much to worry about – unless of course they sell goods or services in the EU; or monitor the behaviour of people who live in the EU. The key factor is the location of individuals – not the location of the data processor or data controller.

Some New Zealand businesses will need to revise their data management policies, or risk being fined up €20 million, or 4% of their annual worldwide turnover, for non-compliance.

Last Wednesday in Wellington I joined a panel of speakers at the Reseller News Exchange to discuss GDPR and its implications for New Zealand.

The new law enshrines the notion that people should be able to control personal data and have the right to determine when, how, and for what purpose their information is being held and used.

Much of our discussion centred on problems stemming from Article 17 – the right to be forgotten. Organisations are required to erase the personal information of anyone who requests its removal.

There are two interpretations of the right to be forgotten. On the one hand, the right to be forgotten could be interpreted as simple erasure – the technical delisting of data from being displayed in search results or databases. On the other hand, the legislation infers a more fundamental obligation to permanently remove personal data, a so-called “oblivion” approach.

Fellow panellist Ahmed El Ashmawy also raised a point about the actions of regulators as they move to enforce GDPR. Some speculate that regulators are most likely to focus on “black and white” issues, such as the appointment of a data protection officer, and mandatory reporting within 72 hours of a breach being discovered. Either an organisation satisfies these conditions or they don’t, resulting in some fairly brief legal arguments.

But things get less clear when readers encounter the preponderance of the word ’appropriate’. Just what is and isn’t ‘appropriate’? For example, does GDPR consider storing personal information on a mobile device secured only by a PIN code or password appropriate? Maybe not given the number of apps that present personal data to mobile devices? Until precedents establish benchmarks for appropriateness, we won't know for sure. Furthermore, some of the legislation’s policies are written in 'future proof' terms which, by necessity, avoid mentioning specific technologies.

Revera doesn’t do business in the EU, but some of our clients do. So I expect we will on occasion work with affected clients to delete selected personal information from our systems.

Interestingly (or alarmingly, perhaps) GDPR provisions make it impossible to use blockchain in the EU, because blockchain doesn’t allow changes after the fact (meaning private details contained in records can’t be erased).

In this part of the world, our own Public Records Act determines standards for managing personal information in the public sector. The Privacy Act has broader reach, controlling how 'agencies' collect, use, disclose, store and give access to 'personal information'. Privacy Codes of Practice do the same, but they apply to specific areas – particularly healthtelecommunications and credit reporting.

The New Zealand Government is working to refresh our privacy laws to better protect information gathered and stored digitally. The proposed legislation, called the Privacy Bill, acts on a 2011 recommendation from the Law Commission to grant powers to the Privacy Commissioner to strengthen existing privacy laws, by repealing and replacing the Privacy Act of 1993.

As far as I can see, the new bill aligns with the GDPR. So we’re on the right track.

Keep an eye on the progress of the new Privacy Bill and prepare for your new obligations. You should also expect to field more questions about your data management practices as they relate to the Privacy Bill and GDPR – though in the case of the latter, GDPR has no bearing on practices used by most New Zealand businesses.

date_range 01 June 2018