New Zealand companies doing business with Europe have little time left until the European Union's General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
All companies and organisations that collect, store or use personal data of EU residents need to comply by 25 May, or risk penalties of up to €20 million or 4% of global annual turnover.
Compliance is required regardless of whether a company owns the data, or is just a service provider processing data for another company.
New Zealand companies intending to launch their services in the EU need to be GDPR-compliant before contracting with EU companies.
New Zealand Trade and Enterprise says EU partners expect New Zealand companies to have a compliance plan in place before GDPR takes effect.
It notes that GDPR rules range from using plain language when communicating about data collection, to giving people the ‘right to be forgotten’, to keeping only data necessary for a specific purpose.
The European Commission website contains a comprehensive summary of GDPR and the requirements. The Law Society of Scotland has also published a GDPR guide for law firms.
Specifically New Zealand information has been provided by the New Zealand Law Society ("GDPR compliance in four steps"), Lane Neave ("Preparing for the EU's General Data Protection Regulation"), Russell McVeah ("GDPR - a summary"), the Office of the Privacy Commissioner (General Information Document for Asia Pacific Privacy Authorities), Kensington Swan ("The long arm of the law"), MinterEllisonRuddWatts ("Biggest Shake up to data privacy law in 20 years"), and the Marketing Association ("What New Zealand marketers need to know about the GDPR").