How 3 Non-EU Organisations Are Dealing with the GDPR
The 25th of May 2018 was a big day for the internet. Most end users probably just noticed an increase in inbox traffic and pop-ups, with requests to opt-in or accept new cookies.
But for those with a little more skin in the game, the implementation of the European Union’s General Data Protection Regulation (GDPR), over two years in the making, was a far more serious affair. It saw sweeping reforms on EU data protection and privacy rights being instituted overnight, with the online businesses and organisations who managed this data being held immediately accountable for non-compliance.
To GDPR or not to GDPR
While the rules for organisations within the EU were relatively cut-and-dried (as much as they can be with such broad and pioneering legislation), the platform on which they were to be applied – the internet – is essentially borderless. Non-EU organisations were put in an awkward situation – while their businesses were based outside of the union, many of their business interests, including customers, were not.
In such cases, where do the responsibilities for GDPR compliance lie? And what might these responsibilities look like? To find out, we spoke to three people who have been tasked with working out exactly that – those within global, internet-reliant businesses based outside of EU borders.
Tim Kremer is co-founder of Avaza, a project management and accounting software as a service (SaaS) provider founded in Australia. Alf is the elusive founder of The Moon Unit, a New Zealand-based creative services provider that specialises in sculpting pitches and marketing materials for many of the world’s leading brands. And Caroline Carver is principal consultant at TwoBlackLabs, another New Zealand-based operation, but one focused on data privacy and protection consultancy which has quickly built a reputation as the authority on non-EU GDPR compliance.
So, first question’s first.
How has the GDPR affected you as an Australian/New Zealand business?
The waters were particularly muddy for SaaS organisations like Avaza. SaaS providers simply host applications for customers and have limited contact with the end user’s actual data, so where do GDPR responsibilities lie?
“We initially found the GDPR very confusing,” admits Kremer. “There’s a lot of fear, uncertainty and doubt spread online about it, which is to be expected given its complexity and lack of clear direction in many practical implementation areas.” To cut through the noise, Avaza went all in. They committed serious resources to studying the legislation in its original form, then compared their notes with others online.
A lot of time and money was spent on the process, but the results were worth the effort. The company’s European customers, it turned out, were just as confused as the rest of the world. Myths and untruths were everywhere, but happily the company’s commitment to compliance saw them navigate the change better than most.
TwoBlackLabs found that the New Zealand Privacy Act had a surprising amount of overlap with the GDPR. “When completing reviews of GDPR compliance, we identified that many customers are also non-compliant with the NZ Privacy Act,” notes Carver. So the organisation simply applied the GDPR across the board. “By addressing the requirements of GDPR, [our customer’s] overall compliance with the NZ Privacy Act has also improved.”
What changes have you made within your business in response to the GDPR?
But not all GDPR stories are good news. As creatives, the legislation has complicated matters at The Moon Unit. “It’s reduced the amount of people we can talk to and meaningfully engage with,” says Alf. “We’ve stopped EDM marketing to the UK and Europe. We’ve started to connect with people on LinkedIn and social media channels as a way to mitigate this, but it’s not really a viable alternative.”
Avaza’s commitment to compliance is writ large again in the changes that they have put in place. “We formalised our documentation and processes for relevant GDPR policy areas, established an in-house expert, conducted an audit of our own data practices and those of our suppliers, made changes in our software, and published information for our customers.” As a truly global SaaS business, Kremer know that no stone could remain unturned. “I think it’s still very open to interpretation. Time will tell the real impact on businesses as the legislation is tested and businesses come under increasing scrutiny.”
As GDPR consultants, Black Labs have seen the full gamut of reactions to the legislation. “Some clients have made changes to ensure they are not in scope of GDPR, while others have had to embark on large programs to understand their business,” Carver explains. “The largest area of change I have seen is in identifying and rationalising third parties, as the GDPR requires a company to guarantee the compliance of all third parties who process personal information. This has resulted in some companies changing third party providers to ones that can offer compliant services.”
How do you personally feel about the GDPR?
But legislation, compliance and bureaucracy aside, how do our Australian and New Zealand organisations feel about the GDPR – good, bad or indifferent? The reception, from our small sample size at least, has been mixed.
“While it’s great to have your personal data safeguarded as a consumer/individual, it also shuts down avenues for many businesses,” instructs Alf. ”It’s hurt our bottom line. Companies that send out useful content marketing – as opposed to spamming out ‘we did this, we did that’ newsletters that no one wants to know about – have been hit hard.”
Kremer of Avaza somewhat echoes Alf’s sentiments. ““I think that data privacy is extremely important, and having this conversation in the media and in government is a valuable exercise. I do however feel that such vague and ominous legislation, and a lack of understanding of technology amongst legislative and legal bodies, may have more of a negative impact on businesses than a positive impact on consumers.”
As a GDPR consultant, Carver of TwoBlackLabs finds herself on the total opposite side of the coin. “I think the GDPR is positive. It is starting to be adopted by other jurisdictions as the baseline for privacy, in California for example, and it is anticipated others will follow suit and it will become the minimum standard over time. Anything that focuses on customer rights and protection must be a positive move for all.”
Who is right? Only time will tell. But one thing is clear – the tentacles of the GDPR have stretched farther than many organisations are willing to admit, so no matter whether you find yourself within the borders of the EU or outside of it, ensuring that you’re aware of your responsibilities is a must.