The European Union’s General Data Protection Regulation (GDPR) has been in effect since May 2018.

In essence, it regulates ‘personal data’ of EU residents — from collection to use, retention, transfer and deletion.

The GDPR is a European Union regulation – so I shouldn’t be affected as a New Zealand business, right? Not necessarily, but we’ll tell you why.

The GDPR doesn’t just apply to EU businesses. It applies to any business that processes and collects personal data from an individual who resides in the European Union.

We know with the rise of online businesses and services, some Kiwi businesses are bound to be caught by the extraterritorial scope of the GDPR and may have to comply with the GDPR — so let’s break it down.

Definitions

Firstly, let’s understand how things are defined in the GDPR.

Processing: this could refer to the use of personal data. It could encompass anything from collecting data to destroying it, and is a catch-all word to cover any operations on personal data.

Personal data: this could refer to any data that can identify a living person directly or indirectly.

Data that identifies someone directly could include a person’s name, address, email address, IP address or location data. If data identifies someone indirectly, it means it’s possible to identify someone by cross-referencing different sources of data. By itself, this data may not be able to identify an individual, but combined with other data your company possesses, it may help to achieve a positive identity match.

‘Sensitive’ personal data: this class of data should be handled with extra care. It could include race, health status, sexual orientation, religious beliefs, political beliefs, genetics or biometrics, to name a few.

Controller: this is someone who determines the purpose and methods of processing personal data (for example, you as a business decide to collect a first name, last name and email address as part of your ‘controller’ role).

Processor: this is someone who manages personal data on behalf of a controller (for example, a processor could be a marketing company that uses personal data for promotional reasons).

Data subject: any individual in the EU whose personal data is processed.

Do You Need A GDPR Privacy Policy?

It is important to think about whether you need to be GDPR compliant as a New Zealand business.

New Zealand businesses may need to comply in two circumstances:

  1. If the business has an establishment in the EU. This applies regardless of whether the business collects and processes personal data (and irrespective of where it is processed); or

  2. If the business offers goods/services to EU citizens or monitors the behaviour of individuals in the EU.

The GDPR applies to the data processing activities of all businesses, regardless of size (which is somewhere the GDPR and the New Zealand Privacy Act 2020 diverge — more on that below).

What Businesses Need To Comply With The GDPR?

Some examples of New Zealand businesses that may need to comply with the GDPR include:

  • New Zealand businesses with an office in the EU
  • New Zealand businesses that target EU customers. This could include allowing customers to order goods and services in a European language other than English, or offering customers the option to pay in Euros
  • New Zealand businesses whose website refers to EU customers or users (e.g. if you have mentioned them in testimonials or reviews)

What Do You Need To Do To Be Compliant?

We’ve already written about some quick tips on how to be GDPR compliant. But, essentially, there are seven main data protection principles that need to be adhered to.

1. Lawfulness, Fairness and Transparency

This principle is pretty straightforward. Organisations need to make sure they are clear about the personal data they are collecting. To do this, your privacy policy should state the type of personal data you’re collecting and what you’ll do with it.

2. Purpose Limitation

Here, the GDPR mandates that organisations should only collect personal data for a particular stated purpose and only collect personal data necessary to fulfil that purpose. There is more leeway for purposes in the name of the public interest or for scientific, historical or statistical purposes.

3. Data Minimisation

An organisation that collects personal data should only process this information in a way that fulfils its processing purposes. This is beneficial for both users and organisations because:

  • In the case of a data breach, there will only be a limited amount of personal data available.
  • Minimising the amount of personal data collected will make it easier to keep this data accurate and up to date.

4. Accuracy

According to the GDPR, ‘every reasonable step must be taken’ to erase or rectify personal data that is inaccurate or incomplete within 30 days of the individual’s request.

5. Storage Limitation

When the organisation stops having a need for the personal data, the GDPR mandates that it must be deleted.

6. Integrity and Confidentiality

In this requirement, the GDPR mandates that personal data must be ‘processed in a manner that ensures appropriate security of personal data’. While there aren’t specific measures specified in the GDPR (due to the fast-changing nature of technology), it simply requires all measures to be taken to ensure this.

7. Accountability

This is referred to as the ‘accountability principle’, which means exactly that. It commands accountability by requiring the controller to be responsible for and be able to demonstrate compliance.

GDPR vs New Zealand Privacy Principles: Where Do They Differ?

There are many similarities between the requirements outlined in the GDPR and in the New Zealand Privacy Act 2020. They both include general concepts like being able to demonstrate compliance with privacy principles whilst adopting transparent information handling practices.

Below are just some of the situations where the GDPR differs from the New Zealand Privacy Act.

Processors and Controllers

The New Zealand Privacy Act does not have the notion of ‘processors’ and ‘controllers’. Having defined roles ensures accountability. Controllers also have obligations to be more transparent in their communication with individuals than what is required by the Privacy Act.

Consent

While in New Zealand consent can be implied, the GDPR mandates that consent must be made explicit by a ‘statement or by clear affirmative action’. Both systems allow consent to be withdrawn at any time.

Rights

There are certain rights in the GDPR that aren’t explicitly stated in the New Zealand Privacy Act. This includes the right to erase personal data, the right to be forgotten and the right to data portability.

Representative

Compliance with the GDPR extends to more than just a privacy policy. In some cases, you may need to appoint a ‘representative’ established in the EU. If an EU citizen or data protection supervisory authority has any questions regarding the protection of data you’re collecting, then this is where a representative comes in. They will act as the main point of contact for any questions and concerns raised.

Data Breaches

There is a more onerous requirement to report data breaches under the GDPR, and you also have a shorter time frame in which to do this.

Size of Business

As mentioned before, the New Zealand Privacy Act does not cover small business (ones with an annual turnover of $3 million or less – subject to some exceptions). In contrast, the GDPR applies to all organisations, regardless of size and industry.

Penalties For Non-Compliance

The GDPR has two tiers of penalties for non-compliance.

1. Up to €10 million, or 2% annual global turnover – whichever is higher. This is in the case of an infringement of the organisation’s obligations (which include data security breaches).

2. Up to €20 million, or 4% annual global turnover – whichever is higher. This is where there is an infringement of an individual’s privacy rights.

Brexit: What Does It Mean For GDPR?

The UK was one of the principal architects of the GDPR. But now that Brexit is well and truly underway, will you still have to comply with the GDPR if you have customers primarily in the UK?

Initially, there will be a transition period (which will run through till 31 December 2020) where EU rules surrounding the GDPR will continue to apply to the UK.

After this time, although the GDPR will cease to automatically apply to business in the UK after the end of the transition period, it is unlikely that much is to change for New Zealand businesses with UK customers.

Many of the GDPR articles are being planned to be translated into UK law as a ‘UK GDPR’, which will mean that compliance will largely stay the same. This means the extraterritorial scope and representative requirements will largely stay the same (but you’ll require a UK Representative rather than an EU Representative).

And, of course, the UK GDPR will be altered in scope to cover the personal data protection of UK individuals only.

All in all, for Kiwi businesses, the same level of compliance will most likely be necessary if you conduct business in the UK.

Key Takeaways

GDPR compliance extends beyond just having a GDPR compliant privacy policy or a cookie policy. It can be hard to know what you have to do to be compliant as there is a very high onus on businesses to protect individual personal data.

Whether you’re looking for a GDPR compliant privacy policy or specific ways to make your business compliant with GDPR — we can help! Send us an email at [email protected] or give us a call at 0800 002 184.

Abinaja Yogarajah
Abinaja is a legal operations manager at Sprintlaw. After completing a law degree and gaining experience in the technology industry, she has developed an interest in working in the intersection of law and tech.
Lauris de Clifford
Lauris is a commercial lawyer at Sprintlaw. After working at a top-tier law firm, she has worked across NewLaw firms specialising in online businesses, privacy and employment law.
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

New Zealand Consumer Law Consultation

Ensure you’re complying with consumer laws.
Learn More

Contract Review

Before signing a business contract, ensure it works for you.
Learn More

GDPR Package

Ensure you're compliant with the GDPR.
Learn More

Privacy Policy (GDPR)

Ensure your privacy policy is GDPR-compliant.
Learn More

Medicinal Cannabis Businesses Lawyers

Get advice on starting a medicinal cannabis business
Learn More
Related Articles
How Do I Protect Customer Data?
Posted 31st January, 2024
Set Off Clauses In Employment Contracts
Posted 28th January, 2024
A Guide To The Privacy Act 2020
Posted 24th January, 2024
Business Call Recording Laws In New Zealand
Posted 24th January, 2024
Paying Family Members In A Small Business 
Posted 24th January, 2024
Get A Cross-Border Data Processing Agreement
Posted 24th January, 2024