GDPR Compliance for New Zealand Businesses

21 May 2019

The General Data Protection Regulation (GDPR) aims to protect people’s right to privacy and enhance the protection of personal data.

It's more than a passing fad that blew up headlines last year, think of it more as a sign of things to come.

By preparing now, Kiwi businesses can save money and improve customer relationships through the transparency of data collection and use.

What Is GDPR Compliance?

The General Data Protection Regulation is a data protection law enforced by the European Union (EU). It is the legal framework that sets out guidelines for the collection and use of personal data of people living in the EU.

Organizations that operate within the EU, or do business online with EU citizens, must ensure they adhere to the new regulation or become compliant. The desired outcomes of GDPR are that individuals will have more transparency and control of their data regardless of whether they are EU residents or not.

Who Needs To Comply With The GDPR?

GDPR applies to all New Zealand businesses that collect, process or store personal information of people living in the EU. Personal information may be obtained from various sources, like search engines and social networks, cookies and web analytics.

If you collect data from any person in the EU, you are required by law to be compliant, regardless of if it is intentional data collection or not.

How GDPR Privacy Laws Affect New Zealand Businesses

Of late, there has been a growing mistrust by consumers regarding the use of their personal data. The GDPR aims to restore this trust by allowing consumers to control their data fully.

Any company collecting data from EU citizens will have to show where customer data is going, reveal what it will be used for and how they will protect it.

Personal data includes users IP addresses, location history, interests, cookie data and RFID tags.

Organizations that don’t comply risk being fined up to €20 million or 4% of their total worldwide annual revenue.

What are the 6 privacy Principles of GDPR?

The key responsibilities of organisations under the GDPR are summarised under the 6 privacy principles found in article 5 of the regulation. They are:

  • Lawfulness, fairness, and transparency: Make sure that your data collection practices are legal and clearly outlined in your privacy policy.
  • Purpose limitations: Personal data can only be collected for specified, explicit, and legitimate purposes.
  • Data minimisation: If you don’t need it, don’t collect it, it's that simple.
  • Accuracy: Everything possible must be done to keep data accurate and current.
  • Storage limitation: If you no longer require data, it must be securely removed.
  • Integrity and confidentiality: Measures should be taken to ensure the confidentiality and integrity of personal data is maintained.

So What Should New Zealand Companies Do?

The most important thing to do is to take practical measures to improve your privacy processes. Even if you are compliant, look at areas you can improve, as more regulations will likely come in the future.

A good step to start with is an audit of the data you collect, and how you use it. From there, you can begin to improve your data security and become compliant.