5 Quick Tips for GDPR Compliance

Contents

At the start of 2018, your inbox was likely inundated with emails from companies updating their Privacy Policies due to the GDPR.

The General Data Protection Regulation (GDPR) is a European Union law that was implemented in May 2018.

Why is this significant?

Because the GDPR introduced changes to EU privacy laws that have global implications.

Any data collected from a customer in the EU is protected under the GDPR. This applies regardless of where the data is processed – even New Zealand businesses with EU customers must comply.

If you’re concerned about how the GDPR could affect your New Zealand business, here are 5 quick tips for GDPR compliance.

But first…

Privacy Law in New Zealand

Before delving into European laws, it’s crucial to understand that New Zealand also has privacy laws that businesses must adhere to.

The Privacy Act 2020 governs the handling of personal information and includes principles similar to the GDPR. We’ll explore these similarities and differences in this article.

It’s also vital to recognise that the GDPR is a comprehensive regulation with numerous requirements. Following these 5 tips alone won’t guarantee 100% compliance.

These tips are intended to help you address some of the most common adjustments New Zealand businesses need to make to align with the GDPR – for detailed compliance advice, consult a European lawyer.

Now, let’s examine our 5 quick tips for GDPR compliance.

1. Adopt A GDPR Compliant Privacy Policy

This step is straightforward: Ensure your Privacy Policy is in line with GDPR requirements as well as the New Zealand Privacy Act principles.

Once you’ve addressed this, you’re on the right path.

However, merely having a Privacy Policy isn’t sufficient. You must also follow through with what the policy states!

2. Understand ‘Personal Data’ Under The GDPR

The scope of personal information protected by the GDPR is broader than under New Zealand law. It’s essential to know which data is safeguarded.

Under the GDPR, ‘personal data’ encompasses:

Name
Photograph
Email address
Telephone number
Postal address
Identification numbers (e.g., bank account number)
IP addresses
Biometric data (e.g., fingerprints)
Mobile device identifiers
Geo-location data
Behavioural and demographic profiling information

3. Implement A Cookie Consent Pop-Up

An easy step towards compliance is to add a cookie consent pop-up to your website.

This should include a link to your cookie policy, detailing exactly what information you collect from website visitors. You can visit cookie-script.com for a free and straightforward solution.

4. Understand ‘Consent’ Under The GDPR

The GDPR sets stringent standards for what constitutes valid consent for data collection.

Some requirements include:

“Opt-in” requirement: If you provide a checkbox for customers to opt into further communications, ensure it’s left unchecked. They must actively consent by ticking the box themselves.
“Clear” requirement: Ensure your consent requests are conspicuous and unambiguous. A pop-up on your homepage is a practical approach.

5. Properly Store Your Data

Investing in secure data storage systems is wise. Aim to use a reliable, secure CRM to ensure your data storage complies with regulations.

You should always be able to confirm:

The personal data you hold is secure.
If necessary, you can locate and access an individual’s data wherever it’s stored.

This may seem daunting for many small businesses. However, under the GDPR, EU citizens have additional rights regarding their personal data’s storage and use.

Subject Access Request

EU customers can request information on how, why, and where their personal data is used. They can also demand immediate deletion of their data, and businesses must comply.

If an EU customer makes such a request, you must provide a truthful response and a copy of their personal data in an electronic format at no charge.

Having a process for such requests is prudent. Preparing a template document that outlines how your business uses collected personal data is a good starting point.

The Right To Be Forgotten

Upon request, you must promptly erase an EU customer’s data from all locations within your business, including cookies, documents, and archived emails.

A centralised system for managing customer information can simplify the task of locating all customer data when necessary.

There are severe fines and penalties for failing to comply with these requirements.

Key Takeaways…

Privacy law is a serious matter, especially for online businesses or any business with a website presence.

If you’re based in New Zealand, ensure compliance with the Privacy Act 2020. However, the global nature of the internet means you may also need to consider international laws like the GDPR.

These 5 quick tips are designed to help you begin aligning with the GDPR as a New Zealand business. Start by updating your Privacy Policy, implementing a cookies consent pop-up, and ensuring opt-in forms for subscriptions.

And remember – if you’re uncertain about your GDPR compliance, seek advice from a qualified European lawyer.

Minna Boyle

Minna is the Head of People & Culture at Sprintlaw. After completing a law degree and working in a top-tier firm, Minna moved to NewLaw and now manages the people operations across Sprintlaw.

Tomoyuki Hachigo

Tomo is the co-founder of Sprintlaw and a commercial lawyer with a broad range of legal experience. Before starting Sprintlaw, he was an M&A lawyer at a top-tier law firm advising businesses of all sizes from large corporates to startups.