By Tom Maasland & Richard Wells*
The General Data Protection Regulation of the European Union (GDPR) came into force on 25 May this year and is the biggest shake up to European data privacy laws in 20 years.
Critically, a business anywhere in the world (including New Zealand) will be subject to the GDPR where:
it processes or controls personal data of individuals residing in the Union; and
the processing activities are related to offering goods and services to, or monitoring the behaviour of, individuals in the Union.
Banks with operations, business or potential business within the Union should turn their minds to whether they fall within the ambit of GDPR. It is important to undertake this analysis, as the compliance requirements and sanctions under GDPR are much more onerous than those that apply under the current Privacy Act (and even from the law that is proposed under the Bill).
There are a number of areas in which the GDPR deviates from New Zealand privacy law, and some of the most marked have implications for systems and processes used within the organisation.
In particular, and this may come with a price tag. Banks will need to have necessary technology solutions to be able to comply with the following requirements:
1. Mandatory breach notification
In general terms the changes that are discussed above with respect to mandatory breach notification under the Bill would need to be accelerated for GDPR compliance.
Consent under GDPR (for example to marketing or for profiling purposes) requires a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individual’s authorisation. Silence, pre-ticked boxes, or inactivity is not enough to constitute consent or deemed consent. The systems that support existing consent gathering may need to be reconfigured, upgraded or replaced to cope with much more sophisticated consent gathering requirements. Agencies will need to be able to produce evidence that consent has been obtained, and therefore the use of reliable systems are a must.
3. The right to be forgotten
Since personal data must be erased on request of the individual, unless there are compelling reasons, systems need to be capable of finding and erasing data. Banks may also need to consider the extent to which and how this can be achieved in respect of back-up and archive data. This may be burdensome where data is held in disparate systems. It may be that some but not all data about an individual will need to be erased, which means further complexity.
4. Data portability
This means that on request an individual is entitled to receive a copy of all personal data held about them in a structured, commonly used and machine-readable format. Similar to the right to be forgotten requirement, systems need to be capable of finding and gathering all of the relevant data and (in what is possibly the more complex task, at least as an initial exercise) mapping and structuring that data for use elsewhere.
In terms of processes, the “privacy by design” requirement of GDPR requires an agency to implement measures to show that they have considered and integrated data protection into their processing activities. Whilst this may not be a legal requirement for New Zealand agencies unaffected by GDPR (even under the proposals in the Bill), “privacy by design” is just an example of good planning and it is likely that banks will be doing this in any case.
Similarly, where, for example, a bank wishes to leverage personal data for a novel purpose or commercialise it in some way by providing it to a third party, it will be necessary for the bank to undertake a privacy impact assessment (PIA), at least in certain higher risk situations. Taking the opportunity to undertake a PIA is a useful exercise, particularly when it comes to considering whether data that appears anonymous could actually be lead to the re-identification of the individual once it is combined with other data collected from elsewhere. Again, undertaking a PIA reflects best practice and banks should be familiar with this.
*Tom Maasland and Richard Wells are corporate and commercial partners at law firm MinterEllisonRuddWatts.
This is the second in a series of three articles. The first one is here.