The GDPR comes into effect on May 25, 2018. But what does it mean for New Zealand businesses and how should you prepare?

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European Union privacy law that was passed by the European Commission in April 2016. When it comes into effect later this week, it will replace EU privacy laws that have been in place since 1995.

The purpose of the GDPR is to strengthen and modernise data protection law in the EU. It will regulate how the personal data of EU citizens is treated and used.

Does it apply to New Zealand businesses?

Many New Zealand businesses will likely be affected by the GDPR.

The GDPR applies to (1) all organisations established in the EU and (2) all organisations that process the personal data of EU citizens or offer their goods/services to EU citizens, regardless of where the organisation is established. Organisations that fall within this definition will be classified as ‘data controllers’ under the GDPR and as such must comply with the regulations. 

In short, this means that the GDPR could apply to any New Zealand business that processes the personal data of EU citizens, even if the business operates solely in New Zealand and does not collect the data for commercial purposes.

For example, if it is possible for an EU citizen to visit your website and your business has a website that is monitored by Google Analytics or utilises a Facebook pixel, you may be subject to the GDPR despite the fact that you do not use or manipulate that data for advertising or marketing purposes.

We understand that GDPR compliance is a daunting task and one that’s easy to put in the ‘too hard’ basket. However, businesses that do not comply could face significant sanctions of up to €20 million or 4% of annual turnover, whichever is higher.

In addition, New Zealand has a new Privacy Bill currently under submission, set to replace the Privacy Act 1993. While the new Privacy Bill may not go to the same lengths as the GDPR to protect privacy rights,  it is best to prepare now for stricter privacy rules and enforcement in New Zealand.

What can you do to prepare for the GDPR?

You should consider how your business, and in particular your website and social media channels, collects personal data, either actively or passively. You should then assess whether there is any chance that the data being collected could relate to EU citizens.

For example, we recommend that you review your marketing processes and practices, including but not limited to:

  • Facebook marketing – if your business uses Facebook for marketing purposes, you should refer to Facebook’s updated Business Tools Terms and ensure that your practices are compliant. This is particularly applicable to businesses that have a Facebook pixel installed on their website or those that use Facebook’s Custom Audiences feature
  • Email marketing – businesses that use MailChimp or a similar tool for email marketing should ensure that they have collected subscriber consent in accordance with GDPR requirements. For an overview of the requirements, we suggest reading MailChimp’s guide to GDPR
  • Website usage – you should review your organisation’s privacy policy and ensure that the up-to-date policy is available for website visitors to view on your website
  • Google Analytics – if your website uses third-party plugins such as social sharing tools, this may mean that your Google Analytics data is being shared with third parties. Therefore, you need to obtain tracking consent by using a plugin such as Cookie Notice. If you are using Google Analytics, you also need to allow website visitors to delete their data if they wish to do so by enabling Google’s user deletion tool once it is released. For further information, refer to Google’s updated EU user consent policy

We strongly encourage you to seek legal advice in regard to the GDPR and how it may affect your business. If you’d like to speak with us about the GDPR and your organisation’s data processing practices, or Facebook’s new Business Tools Terms, please get in touch with Andrew or contact reception.


This article is brief and general in nature. You should not treat this article as legal advice and should seek professional advice before taking any action in relation to the matters dealt with in this article.  Armstrong Murray accepts no liability for losses suffered by any person or organisation who may rely directly or indirectly on this article.