Privacy law changes - is your business affected?

The GDPR comes into effect on May 25, 2018. But what does it mean for New Zealand businesses and how should you prepare?

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union privacy law that was passed by the European Commission in April 2016. When it comes into effect later this week, it will replace EU privacy laws that have been in place since 1995.

The purpose of the GDPR is to strengthen and modernise data protection law in the EU. It will regulate how the personal data of EU citizens is treated and used.

Does it apply to New Zealand businesses?

Many New Zealand businesses will likely be affected by the GDPR.

The GDPR applies to (1) all organisations established in the EU and (2) all organisations that process the personal data of EU citizens or offer their goods/services to EU citizens, regardless of where the organisation is established. Organisations that fall within this definition will be classified as ‘data controllers’ under the GDPR and as such must comply with the regulations.

In short, this means that the GDPR could apply to any New Zealand business that processes the personal data of EU citizens, even if the business operates solely in New Zealand and does not collect the data for commercial purposes.

For example, if it is possible for an EU citizen to visit your website and your business has a website that is monitored by Google Analytics or utilises a Facebook pixel, you may be subject to the GDPR despite the fact that you do not use or manipulate that data for advertising or marketing purposes.

We understand that GDPR compliance is a daunting task and one that’s easy to put in the ‘too hard’ basket. However, businesses that do not comply could face significant sanctions of up to €20 million or 4% of annual turnover, whichever is higher.

In addition, New Zealand has a new Privacy Bill currently under submission, set to replace the Privacy Act 1993. While the new Privacy Bill may not go to the same lengths as the GDPR to protect privacy rights, it is best to prepare now for stricter privacy rules and enforcement in New Zealand.

What can you do to prepare for the GDPR?

You should consider how your business, and in particular your website and social media channels, collects personal data, either actively or passively. You should then assess whether there is any chance that the data being collected could relate to EU citizens.

For example, we recommend that you review your marketing processes and practices, including but not limited to:

Facebook marketing – if your business uses Facebook for marketing purposes, you should refer to Facebook’s updated Business Tools Terms and ensure that your practices are compliant. This is particularly applicable to businesses that have a Facebook pixel installed on their website or those that use Facebook’s Custom Audiences feature
Email marketing – businesses that use MailChimp or a similar tool for email marketing should ensure that they have collected subscriber consent in accordance with GDPR requirements. For an overview of the requirements, we suggest reading MailChimp’s guide to GDPR
Website usage – you should review your organisation’s privacy policy and ensure that the up-to-date policy is available for website visitors to view on your website
Google Analytics – if your website uses third-party plugins such as social sharing tools, this may mean that your Google Analytics data is being shared with third parties. Therefore, you need to obtain tracking consent by using a plugin such as Cookie Notice. If you are using Google Analytics, you also need to allow website visitors to delete their data if they wish to do so by enabling Google’s user deletion tool once it is released. For further information, refer to Google’s updated EU user consent policy

We strongly encourage you to seek legal advice in regard to the GDPR and how it may affect your business. If you’d like to speak with us about the GDPR and your organisation’s data processing practices, or Facebook’s new Business Tools Terms, please get in touch with Andrew or contact reception.

This article is brief and general in nature. You should not treat this article as legal advice and should seek professional advice before taking any action in relation to the matters dealt with in this article. Armstrong Murray accepts no liability for losses suffered by any person or organisation who may rely directly or indirectly on this article.

Andrew Reeder

Director

09 489 9102

andrew@armstrongmurray.co.nz

Back to Insights

Cancellation of commercial leases during COVID-19

23 March 2020

How will COVID-19 affect your commercial lease?

31 October 2018

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_66609204_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Privacy law changes – is your business affected?