GDPR Three Years On - Things You Need to Know

It has been three years since GDPR came into effect in May 2018 and its effect has reached around the world. It was heralded as a landmark step-change in privacy and data protection law. GDPR stands for General Data Protection Regulation and it's the core of Europe's digital privacy legislation. In this blog, we take a look at the impact GDPR has had on data privacy around the world and in the EU over the years. 

What is GDPR compliance?

Unfortunately, data breaches inevitably happen, and information can easily get lost, stolen, or released into the wrong hands. Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but organisations with that data must protect it from misuse.

GDPR: Does it apply to you?

The GDPR applies to some New Zealand organisations, especially those with global business interests. As the GDPR is a European legislation it is important that New Zealand companies answer this question: Do you offer goods and services to EU residents or monitor the behaviour of EU residents? If you provide a service to EU residents, you are required to comply with the GDPR. The definition of EU residents covers people living in an EU country. If they are buying your products or using your services, then the GDPR applies to you.

Not sure whether your business is impacted by the GDPR? Click here for more resources. 

Legislation Breach:

Thanks to GDPR, companies are more aware than ever of the issues data breaches can cause. Since the GDPR came into effect countless organisations have made headlines for violations with GDPR fines rising by nearly 40% between 2020 and 2021. But what can some of the biggest data breaches in recent history teach you about your own data strategy?  Here a couple of high-profile breaches that made headlines over the past couple of years.

Google – €50 million

It was widely reported that Google was fined in 2019, for failing to acknowledge how its users' data is processed. Google violated the GDPR as they didn’t obtain user consent to process data for ad personalisation. The basis of the breach was around failing to acknowledge how its users' data is processed.

H&M – €35,258,707.95

On October 5, 2020, the Data Protection Authority of Hamburg, Germany, fined H&M €35,258,707.95. This is the second-largest GDPR fine ever imposed. H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. Senior H&M staff gained a broad knowledge of employees’ private lives. This information was used to help evaluate staff performance. H&M has violated the GDPR’s principle of data minimisation. You can’t process personal information, such as sensitive data about people’s health and beliefs unless you need to for a specific purpose.

What you can do:

If you haven’t updated your email database with your audience in a long time you can look to run a re-consent email campaign to help you stay compliant. Having your database re-consent to receiving an email from you is a great way to maintain an engaged audience. All you have to do is create an email to send to all your contacts and ask if they still want to hear from you and still wish to be subscribed. Cumulo9 can help you develop a brand-compliant template, click here to find out more. 

Now is a good time for organisations to learn the lessons from others who have breached GDPR guidelines. Making compliance and data protection practices a top priority helps avoid the implications of a data breach. At Cumulo9 we help organisations understand the impacts of the legislation, like New Zealand’s own Privacy Act. If you are interested in finding out more about ensuring your essential business communications are compliant please contact us.