The General Data Protection Regulation (also known as the GDPR), which was enacted in May 2016 and came into force late last month, seeks to offer greater protection of individuals’ rights to privacy and enhance data protection.
While the GDPR is designed for individuals in the European Union (EU), it classifies New Zealand as an ‘adequate third country’.
What does this mean for New Zealand businesses?
All businesses which comply with the New Zealand Privacy Act, are also considered to comply with the EU GDPR. However, you will need to take extra care if your business:
- Clearly markets to EU customers (e.g. run campaigns targeted at those customers, accept payment in Euros and/or deliver products or services to EU citizens over the Internet).
- Uses any form of tracking (analytics, Facebook Pixel etc) that might result in behaviour of EU citizens being monitored when they might be resident in the EU and accessing services or communications over the Internet.
The GDPR does allow you to aggregate data for statistical purposes, but it must not be possible to link any anonymised or aggregate data back to an identifiable individual, and the data collected must not be in breach of any privacy laws.
You may wish to review any business practice that includes the above or relies on the anonymisation, aggregation and reporting (or sale) of data that you collect about customers in the course of business.