A new European Union data privacy law
The purpose of the GDPR is to create a consistent data privacy law that applies to all EU members, so that each member state doesn’t need to have its own law.
Who does the GDPR apply to?
Although the GDPR is an EU law, it also applies to organisations outside the EU when they either:
- offer goods or services to individuals in the EU (even if payment isn’t required)
- monitor a person’s behaviour in the EU.
What are the key obligations under the GDPR?
There are 6 data protection principles in the GDPR. These are:
- Lawfulness, fairness and transparency – When processing personal data
- Purpose limitation – Only collect personal data for specific, explicit, and legitimate purposes
- Data minimisation – Personal data must be adequate, relevant, and limited to what is needed for the specified purpose
- Accuracy – Correct or delete inaccurate personal data, and keep it up to date
- Storage limitation – Keep personal data in an identifiable form, and for no longer than necessary
- Integrity and confidentiality – Keep personal data secure.
These principles are broadly similar to the information privacy principles in the Privacy Act 1993.
How is the GDPR different to the Privacy Act 1993?
The GDPR introduces many new concepts and obligations, so we recommend that you get legal advice if you are unclear about how these obligations affect you.
We’ve added new content for the GDPR in the Managing Information section of ComplyWith.
Given the GDPR’s overlap with the Privacy Act, we have only included 1 compliance obligation, but we have also added a table in the commentary setting out a high-level summary of some of the key additional obligations.
A full version of the GDPR is available on the Official Journal of the European Union website.
What are the penalties for not complying with the GDPR?
There are significant penalties for failing to comply with the GDPR, including a fine of up to €20 million, or 4% of global annual turnover (whichever is greater).
You can also be required to compensate a person who has suffered damage because you haven’t complied with the GDPR.
The Privacy Commission has published useful guidance and resources for the GDPR.
New Zealand Trade and Enterprise has also created helpful guidance on the GDPR principles.
What do we need to do?
If this law applies to your organisation, you’ll need to allocate this new obligation in your survey.
Please contact the Head of Delivery Team at ComplyWith if you need help with this (firstname.lastname@example.org).