Skip links

GDPR Impact on NZ Businesses – Explained in 5 Minutes

Here’s a quick rundown of the impact of the GDPR for NZ businesses. Find out which local businesses will be affected and what changes need to be made to comply with the new regulations.

During this past week your email inboxes have probably been rammed with emails from companies informing you that their data collection and privacy policies have changed and that they need your permission to continue communicating with you – citing the GDPR law changes in the EU as the reason. A surprise for many who never knew that their data was sitting in a particular company’s database or for those who never bothered to opt-out of pesky newsletters.
The GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU. It went into effect on the 25th of May, 2018 and has been hailed as a new dawn for data privacy on the internet.
Till now, the default state of affairs was that users of a website consented to their data being harvested and used for advertising and marketing. You used an app on Facebook, your data belonged to a third party and could be sold off (think Cambridge Analytica scandal – ). You logged on to a website, cookies were being dropped into your browser without your knowledge, allowing marketers to follow you around the internet, monitor your browsing history and serve you with ads related to your behaviour.

Enter the GDPR…now the default state for individuals is opted out.
Users now need to be explicitly informed of what data is being collected, what it’ll be used for, how long it’ll be kept for and how it’ll be protected and empowered with this information, users can then give explicit consent for this information to be used for marketing activities. Goodbye default opt-ins, sneaky cookie drops etc. Companies that fail to do this, run the risk of being sued for 4% of their annual revenue. The day the GDPR kicked in, Google and Facebook faced lawsuits of 8+ billion dollars
New Zealand, despite not being part of the EU, isn’t immune to these changes. Many local businesses get visitors from overseas. Think hotels, tourist activities, real estate etc. According to law firm Russell McVeagh ( and the GDPR regulation text itself, the following New Zealand businesses run the risk of non-compliance and therefore legal action:
a) If the NZ business has an office established in the EU.
b) If the NZ business offers goods or services directly to EU data subjects.
c) If the NZ business processes sensitive data.
Point b) covers all businesses that offer goods and services to people living in the European Union. Point c) takes it a step further and essentially covers all websites (blogs, portfolios etc.) that have tracking scripts, apps and plugins installed that can reveal a user’s sensitive data.

Depending on the kind of business you run and the amount of data collection you undertake, there will be different requirements. Here are some steps you can undertake in order to bring your site up to scratch with the EU compliance regulations:

  1. Review all tracking scripts and plugins present on your website. You as a business owner need to know exactly what data your site collects. Your webmaster should be able to break it down for you. The end user will have to be informed of all the kind of data that is being collected on the site. The most common data collection utility you’ll find will be Google Analytics. Ensure that it is set up correctly, keeping in mind that you have the option to treat EU IP addresses differently to NZ IP addresses to maximise benefits for your business
  2. Prepare a privacy policy for your website and ensure that it is visible. The privacy policy must include information about the data being collected, the purpose of data collection, the user’s rights relating to the data, your data security policy and the processes the user is to follow in order to maintain their rights under the GDPR. More on user rights in (4)
  3. If you’re using cookies, which the majority of sites are thanks to Google Analytics and other such utilities, then clearly display a notice notifying the user that you are collecting data and link that notice to your privacy policy so that they may make an informed decision.
  4. Put in place systems which allow the user to exercise their rights in relation to their personal data. What are these rights?
  • The right of access to their data
  • The right to require that their data be rectified
  • The right to request that their data be deleted
  • The right of access to their data
  • The right to restrict the processing of their data
  • The right to require that their data be transferred to another business
  • The right not to be subject to automated decision-making, including profiling
  1. If you build an email database using your customer or visitor data, they now need to be notified of your intent and the data points being collected.
  2. If you have an existing email database with people from the EU on it, those people now need to be asked for explicit consent before you can communicate with them any further. If you’ve had personal conversations in the past e.g. emailing Nan in the UK from your work email, you needn’t do this.
  3. If you’re collecting, processing and storing data from your site, you need to implement best practices to secure it as you’re responsible for that data. Adding an HTTPS SSL connection to your site, is a start as it makes it harder for the data collected to be compromised. Also, ensure that all your security measures are up to date to prevent data leaks and hacks.

The above should give businesses dealing with customers in the EU a general overview of what they need to do in order to comply with the new regulations. Depending on the business or website, there may be fewer or more changes that will need to be undertaken. With this precedent being set, it won’t take long before data privacy regulations are implemented in most countries and it is prudent to update your data policies and digital marketing tactics.

Because these law changes apply mostly to businesses with visitors from the EU, advertising to NZ audiences won’t be affected too much. In saying that, the largest advertising companies such as Google & Facebook have offices in the EU so the amount of data available to marketers will shrink which will make targeting harder. Many online businesses that relied on targeting using this data have noticed a collapse in traffic and conversions over the past week. Within the coming weeks we will better understand the implications of these law changes.
If you’re an NZ business that is dealing with customers or visitors from the EU, you should talk to your digital marketer / webmaster and ensure that your site and data policies comply with the GDPR. If you don’t have access to the above or they don’t know what to do then visit our GDPR form here: and we’ll get back to you. As a rule of thumb, GDPR compliance should cost you no more than $400, including an SSL certificate & installation.

Leave a comment