New Zealand: No need to fear: getting your head around the GDPR

If you have been reading anything about the impending go-live date of the General Data Protection Regulation (GDPR), you might be feeling a bit daunted: more stringent data protection standards, heightened rights for individuals, harsher penalties on data controllers and processors for failing to comply...chances are you are sweating and thinking "does this apply to me? Is my business up to scratch?"

Do not panic!

The GDPR does represent some significant changes in the privacy world. For some businesses they require immediate attention, and for all businesses in New Zealand those changes are coming, it is just a matter of time.

But there is nothing to fear so long as you are informed, prepared and equipped to take on the changes, and despite the Regulation coming into force today (May 25 2018) you still have time to take stock of your position.

What is the General Data Protection Regulation?

It is the European Union's (EU) new legal framework for data protection. It is enforceable by national privacy authorities (like the Information Commissioner's Office in the United Kingdom).

The GDPR aims to better protect the privacy rights of EU residents by granting them greater control over how their personal data is collected, processed and stored by businesses.

It requires greater transparency about how businesses handle personal data and imposes stricter accountability measures to ensure personal data is being properly protected.

It is a large step ahead of our Privacy Act 1993 and the Privacy Bill currently before Parliament.

But I am not in Europe, why do I care?

While the GDPR is an EU regulation, it has extra-territorial application. New Zealand businesses are governed by the GDPR to the extent that they deal with personal data belonging to individuals residing in the EU.

Even if you are not doing business in the EU, the GDPR contains a very broad catch all that wraps up anyone "monitoring the behaviour of" EU residents.

You are certainly subject to the GDPR if you offer goods and services to EU residents (for example you operate an online store directed, in whole or in part, at EU residents), or you operate an office in the EU (think: Air New Zealand and Fonterra), and you process personal data belonging to individuals residing in the EU (regardless of whether it is processed in the EU or not).

If you are a business with a web presence directed at EU residents or with an EU user base, you should assume the GDPR applies to you.

While the GDPR comes into force today there has been widespread reporting that most national privacy regulators in the EU are unprepared for it. So in the short term, it's pretty unlikely anyone will be knocking down your door, or your inbox.

Still, it's a smart time to get your house in order. Law reform in this area is coming locally in any event.

And even if the regulation cannot be directly applied to you today, if you are buying the services of Google, Microsoft, Amazon, HubSpot, Mailchimp, Shopify, or any major international web service, you have probably already been required to be GDPR compliant. If you are not, you are probably in breach of those contracts.

Did you read those updated terms of use? Of course you did.

Meanwhile in New Zealand, the Privacy Bill currently before Parliament is a weak upgrade to the current Act. Privacy commentators have largely joined with our Privacy Commissioner in urging Parliament to follow the GDPR closely and swiftly, so we expect the Bill to be renovated in light of the GDPR as it goes through the legislative process.

The good news is that, by and large, the Privacy Act and the GDPR are comparable, and if you're complying with the Act you're well on your way to GDPR compliance too.

However, the GDPR sets out your obligations in dealing with personal data in much tighter language and introduces some significant new rights for data subjects.

New rules, new language

The key terms of the GDPR are different than those in the Privacy Act but many are equivalent to what we already understand. For example, use of personal information under the Act becomes processing of personal data in the GDPR. The Privacy Act's Identifiable individuals are the GDPR's data subjects, and so on.

But there are some differences too. For example, The Privacy Act talks about an "agency" – the person holding personal information. In the GDPR one becomes two: "data controllers" and "data processors." That split is easy to understand in an IT context. If Spotify hosts its music software on the servers of AWS, then all that information about your love of S-Club 7 is controlled by Spotify, but processed by AWS.

But others will now wear two hats. Some data they collect and control for themselves (a data controller hat) e.g. browsing data: are you checking out cots and nappy bags? Other data they collect and process on behalf of sellers (data processor hat) e.g.: purchase and bid data that is collected in fulfilment of the agreement they have to make an item available for sale.

Under the Privacy Act, if you are processing the data, you have obligations to the individual who that information is about even if you do not 'own' that customer relationship. Under the GDPR, if you are having someone else process data for you, you have to front to your customer yourself every time.

If you are a small suburban florist using Mailchimp as your data processor, that might make you the tail trying to wag the dog.

For now, your business should take note of, and understand the shifting terminology, and consider your position as a processor or controller of personal information. If your business is dependent on a large data processor like Trade Me, have a think about how you might require them to comply with erasure requests in the future.

New rights for individuals

The GDPR introduces a number of new rights which individuals can enforce against you as a data controller in relation to how their personal data is handled. The four big ticket developments, in our view, are data portability, clarity of privacy information, rights in relation to artificial intelligence (AI) and the right to be forgotten.

The right to personal data portability in basic terms is the right to have all of your data given to you in a common format to do with as you wish. Want to take all of your music playlists from Spotify to Rdio? You now have the right.

The underlying policy is that individuals 'own' their data and if they want to change service provider or otherwise go elsewhere with their data then they should not be restricted in doing so. It is as much the removal of a competitive barrier as it is bolstering your privacy.

The right to clear privacy information greatly increases the demands on your privacy disclosure practices. Your old privacy policy will almost certainly need a tune up to make sure you're disclosing precisely the information you're collecting and processing, who you are transferring it to, how long you are keeping it and how to contact you to complain or to exercise rights. And that it is doing all of those things in a clear, precise and transparent way.

If you apply automated decision making based on the personal data you have collected you need to disclose this and explain the relevance and impact. The provisions about the use of "AI" to make decisions which impact the lives of individuals are a glimpse of just how significant this technology has already become.

Those provisions include a right to object to automated decision making about you at any time and the data controller can only continue if they are fulfilling a legal obligation, or have compelling legitimate grounds to and even where those exceptions apply, you will usually have the right to obtain human intervention and to contest any decision the AI has made about you.

The right to be forgotten is actually a simple right to the erasure of information held about you without undue delay. It became known as the right to be forgotten after Mario Consteja Gonzalez took Google to court in Spain to compel them to remove historical information about him from search results. He won, and to varying degrees across Europe the right to be forgotten is already law but the GDPR gives it consistency and, of course, potential extra-territorial impact.

The right to be forgotten has been one of the most talked about gaps in the Privacy Bill currently before Parliament. Expect lots of submissions on its inclusion, and expect change in this area of the law.

For established businesses who haven't modernised their database architecture the right to be forgotten could bring with it significant practical difficulties. If your systems can't handle removal of data about individuals, that is something to address urgently.

Privacy by design

The GDPR expressly requires organisations to be accountable for their management of personal data.

Not only are you required to collect personal data only for legitimate purposes, keep personal data secure, and for only as long as it reasonably required, and act lawfully and transparently in doing those things. You must be able to demonstrate your compliance with data protection principles.

There are specific security provisions which require you to take appropriate technical and organisational measure to ensure an appropriate level of security, which measure may include pseudonymisation, encryption and processes for regularly testing and evaluating security.

You must adopt a privacy by design approach including, as a matter of process, removing identifying information when it is no long required, not putting personal data to any further use without seeking additional consent (unless an exception applies), and keeping data accurate and up to date.

In many cases you will be required to designate a data protection officer (commonly called a privacy officer in New Zealand).

One of the tasks of that data protection officer will be comply with the requirement to notify any personal data breach to a supervisory authority within 72 hours and to an individual personally where a breach is likely to result in a high risk to that person's rights and freedoms.

Stricter consent requirements

Nobody reads the privacy policy, right? Right. The GDPR makes that your problem.

The "one-signature-consents-to-all" approach will no longer suffice. Consent now needs to be positively and explicitly obtained through a separate agreement with an individual, which clearly sets out any risks associated with any transfer of personal data.

"Affiliate consent" where one company obtains consent on behalf of all of its affiliates is gone too.

If you are a user of any internet service, your inbox will have been bulging over the last few days with updated privacy policies and notifications of GDPR compliance. The irony being that as companies rush to get their house in order, beef up their consents, and swamp you with information about how they've done that, they are doing exactly what the GDPR does not want them to do.

There is no easy answer, but poorly obtained consents and low quality communication of complex privacy information will be low hanging fruit for regulators once they tool up.

Final tips

So what do you do with all of this? What has changed today compared to yesterday?

The key take away for you is to bump this up your list of priorities. The GDPR requires businesses to make changes to policies and processes relating to personal data, and it is likely the Privacy Act will eventually follow suit.

Taking steps to come within the GDPR today is effectively future-proofing for where New Zealand's domestic law is likely to inevitably end up.

Familiarise yourself with your business and its current data management practices so you know what you need to update: where is personal data stored? How long does your business hold it for? How does your company currently respond to data breaches?

Knowing your current practices will help you to determine where to start with making changes to comply with the GDPR.

It is important to keep the GDPR in perspective as it swings into global force today. There is no need to fear the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Wynn Williams Lawyers
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Wynn Williams Lawyers
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions