Answers to some of the questions and statements we have heard
The collection and protection of personal identifiable information (PII) applies to both digital AND Paper Based information. Therefore when creating your DSAR (Data Subject Access Request) and purge processes and procedures be very mindful you need to include paper based information. If you are storing paper records and subsequently destroying the information, then it is very important you use a document management company that understands GDPR and its implications as they will be a Data Processor for your company.
This is a myth, whilst the GDPR is a law that affects EU citizen’s personal data, it is classified as an international law and is therefore applicable to all companies either offering services or goods to EU Citizens. Or companies that are monitoring the behaviour of EU citizens including tracking IP addresses through the website.
Wrong: The limited liability is there to protect Directors who follow the letter of the law. In the Companies Act 1993 section 137 “Directors Duty of Care” and section 135 “Reckless Trading” it could be seen that not protecting assets “ie the customer data” and implementing best practice data protection methods, the director has traded recklessly and the limited liability protection is lifted, leaving the directors (all) liable to any claims.
In the GDPR, Data Protection Officers (DPO) are mandatory for companies with more than 250 staff. However, it is recommended as best practice to employ the services of a DPO to ensure the company is compliant with the 99 Articles of the GDPR.
It is however COMPULSORY in the New Zealand Privacy Act 1993, section 23 “Privacy Officers” for every company to designate a Data Privacy Officer to ensure the company is indeed complying with the 12 Principles of the Act.
In 2019 the New Zealand Privacy Act 1993 is likely to be updated (bill currently before Parliament) and it is stated the new Privacy Act shall be in line with the GDPR.
The GDPR is already an international law and came in to force in May 2018, so the company may still be liable until it is protected.
As Europe witnessed, there is still a great demand to get companies compliant even though they had 2 years to prepare and implement their policies and make changes to their procedures. It is estimated Europe are 50,000 DPO’s short to meet the demand.
As there are very few people with the skills that can help companies through the process, waiting until it becomes ensconced in NZ Law will be a very big gamble and when the company is ready, will there be sufficient skills available to help.
Whilst many countries including New Zealand wrote their own Privacy Laws, these were done 25 years ago and way before the Internet or smartphones etc. Due to the proliferation and growth in hacking and data breaches, every country is looking at the clauses in the current laws.
Europe took the lead and developed the GDPR as the worlds first attempt to protect the EU Citizens data. In fairness, whilst the fines are horrendous, they are there to show how serious the EU is in protecting the data.
Weekly, we are seeing other countries stating they are redefining their own laws in line with the GDPR.
The GDPR is becoming a de-facto standard for data protection and best practice.
Giovanni Buttarelli, the European Data Protection Supervisor stated:
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum.”
With actions coming towards the end of 2018, it’s imperative to fully understand the data protection and privacy landscape and how it affects your business and how your organisation operates.