Tom Maasland and Richard Wells of MinterEllisonRuddWatts delve into the impacts and influence of the EU's General Data Protection Regulation for banks

By Tom Maasland & Richard Wells*

The General Data Protection Regulation of the European Union (GDPR) came into force on 25 May this year and is the biggest shake up to European data privacy laws in 20 years.

Critically, a business anywhere in the world (including New Zealand) will be subject to the GDPR where:

 it processes or controls personal data of individuals residing in the Union; and

 the processing activities are related to offering goods and services to, or monitoring the behaviour of, individuals in the Union.

Banks with operations, business or potential business within the Union should turn their minds to whether they fall within the ambit of GDPR. It is important to undertake this analysis, as the compliance requirements and sanctions under GDPR are much more onerous than those that apply under the current Privacy Act (and even from the law that is proposed under the Bill).

There are a number of areas in which the GDPR deviates from New Zealand privacy law, and some of the most marked have implications for systems and processes used within the organisation.

In particular, and this may come with a price tag. Banks will need to have necessary technology solutions to be able to comply with the following requirements:

1. Mandatory breach notification

In general terms the changes that are discussed above with respect to mandatory breach notification under the Bill would need to be accelerated for GDPR compliance.

2. Consent

Consent under GDPR (for example to marketing or for profiling purposes) requires a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individual’s authorisation. Silence, pre-ticked boxes, or inactivity is not enough to constitute consent or deemed consent. The systems that support existing consent gathering may need to be reconfigured, upgraded or replaced to cope with much more sophisticated consent gathering requirements. Agencies will need to be able to produce evidence that consent has been obtained, and therefore the use of reliable systems are a must.

3. The right to be forgotten

Since personal data must be erased on request of the individual, unless there are compelling reasons, systems need to be capable of finding and erasing data. Banks may also need to consider the extent to which and how this can be achieved in respect of back-up and archive data. This may be burdensome where data is held in disparate systems. It may be that some but not all data about an individual will need to be erased, which means further complexity.

4. Data portability

This means that on request an individual is entitled to receive a copy of all personal data held about them in a structured, commonly used and machine-readable format. Similar to the right to be forgotten requirement, systems need to be capable of finding and gathering all of the relevant data and (in what is possibly the more complex task, at least as an initial exercise) mapping and structuring that data for use elsewhere.

In terms of processes, the “privacy by design” requirement of GDPR requires an agency to implement measures to show that they have considered and integrated data protection into their processing activities. Whilst this may not be a legal requirement for New Zealand agencies unaffected by GDPR (even under the proposals in the Bill), “privacy by design” is just an example of good planning and it is likely that banks will be doing this in any case.

Similarly, where, for example, a bank wishes to leverage personal data for a novel purpose or commercialise it in some way by providing it to a third party, it will be necessary for the bank to undertake a privacy impact assessment (PIA), at least in certain higher risk situations. Taking the opportunity to undertake a PIA is a useful exercise, particularly when it comes to considering whether data that appears anonymous could actually be lead to the re-identification of the individual once it is combined with other data collected from elsewhere. Again, undertaking a PIA reflects best practice and banks should be familiar with this.

--------------------------------------------

*Tom Maasland and Richard Wells are corporate and commercial partners at law firm MinterEllisonRuddWatts.

This is the second in a series of three articles. The first one is here.

We welcome your help to improve our coverage of this issue. Any examples or experiences to relate? Any links to other news, data or research to shed more light on this? Any insight or views on what might happen next or what should happen next? Any errors to correct?

We welcome your comments below. If you are not already registered, please register to comment or click on the "Register" link below a comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current Comment policy is here.