11. May 2018
We have received in the last months many questions about GDPR from New Zealand companies that were providing goods or services to European people. We have summarised a few of their concerns below.
GDPR is an European regulation and doesn’t apply for my New Zealand based company. According to Article 3 of the GDPR, it applies to companies that offer goods or services to European residents, irrespective whether these companies are established in the European Union or not, and as such it also applies to some New Zealand based companies.
GDPR doesn’t apply for my New Zealand business as it is a small company.
GDPR does not discriminate on the basis of company size and as such applies irrespective of the size of your company.
I comply with New Zealand privacy law and therefore I also comply with GDPR.
Complying with the New Zealand privacy law is a good start, but doesn’t ensure compliance with GDPR. GDPR requires controls that are not part of the New Zealand privacy act.
GDPR doesn’t apply to my business, since I don’t target European residents specifically. I provide services via my website to everyone in the world.
If part of your global offering you also offer your services to European people than GDPR applies to your business.
GDPR doesn’t apply to my business, since we collect only basic information, such as IP address and type of browser, but not privacy sensitive data.
According to Recital 30 IP address is considered also privacy data and as such it is in scope of GDPR.
Isn’t it sufficient that my lawyer, accountant or privacy officer can attest that I am GDPR compliant?
GDPR requires in Article 5 that organisations can demonstrate compliance with this regulation. While it gives some comfort that your lawyer, accountant or privacy officer can attest, they might not be independent. Further, GDPR requires organisations to implement appropriate technical and organizational controls. An audit report on those controls by an independent auditor is recommended as an attestation.
GDPR requires in my case to appoint a Data Protection Officer (DPO). Can I ask my lawyer or my IT manager to be the Data Protection Officer?
They can if 1) there is no conflict of interest (Article 38) and 2) meet the required qualifications according to the GDPR guidelines. As for 1) Both, lawyer and IT manager, shouldn’t then have been or be implementing GDPR for you. As for 2) the guideline requires a DPO to have as well legal expertise, in data protection laws and practices including GDPR, as understanding of information technologies and data security. The Lawyer usually has the legal expertise, but not the technical understanding. The IT manager usually has the technical understanding, but not the legal expertise.
According to GDPR I am required in my case to appoint a Data Protection Officer (DPO). I am a small company and will as CEO take the role of Data Protection Officer.
A CEO usually can’t be also a DPO, since according to Article 38 a DPO shouldn’t have any conflict of interest and report to the highest management, which is usually CEO or Board.
We don’t have to be compliant with GDPR as we transferred the responsibility to a SEO marketing company that collects and analyses visitors of our website
By doing that you have transferred only the responsibility for processing the data, but you will remain responsible as data controller and GDPR applies as such still to you.
We automatically comply with GDPR, since we host all our web applications at a GDPR compliant cloud provider such as AWS.
A GDPR compliant cloud provider ensures compliance for the cloud infrastructure and the services they offer to you. You are still responsible as a tenant, either as a processor or controller, for complying with GDPR for the data within your hosted environment.
A company in New Zealand offering services to EU people asks me on their website for my personal data. How do I know if I can trust them to treat my data according to GDPR?
My company is located in New Zealand and Australia. I am collecting data of New Zealand residents that are also European citizens. Does GDPR apply to my business?
Not necessarily. The fact that they are EU citizens is not relevant. It is more relevant whether they are living in Europe or not. Article 3 (2) of GDPR states: “This Regulation applies to the processing of personal data of data subjects who are in the Union “.
My company is located in New Zealand and Australia. While I am not collecting or offering services to EU residents myself, I am processing data of European residents on the behalf of my customers who offer services to EU people. Does GDPR apply to my business?
Yes, GDPR applies to you as a processor and to your customer organisation as a controller. While you don't offer services to EU residents directly, you do offer your services to and process personal data of EU people from controllers.
I have other priorities and can’t spend my resources now to comply with GDPR. Will there be penalties if I don’t comply?
You can choose not to comply, but that is a risk based decision between spending resources to comply or risking fines. The fines are clearly defined in article 83 GDPR: infringements are subject to fines up to 4% of worldwide turnover or €20 million Euro, whichever is higher.
Note that not all companies are equally effected by GDPR and that as such not all requirements are applicable to your company. IISRI has defined a set of services to help New Zealand and Australian companies to comply in a most efficient way.