As privacy concerns heighten with emerging technologies, businesses in New Zealand are increasingly at risk to data breaches. Many global compliance regulations, such as the General Data Protection Regulation (GPDR), have extraterritorial reach, meaning that NZ businesses dealing with EU residents’ data may be subject to their requirements.
In this blog post, we’ll look into what NZ businesses need to consider regarding GDPR compliance and privacy practical insights to help navigate this often complex landscape. You may be wondering how the GDPR fits into and relates to the New Zealand Privacy Act 2020 – we’ll cover that, too. As privacy regulations are principles-based, there’s a good chance that whatever obligations you are aiming to meet, you’ll find it covers more than one. Let’s get into it.
Understanding the applicability of GDPR to NZ businesses
It’s important to note that not all NZ businesses are subject to GDPR; however, many of the privacy laws worldwide share the same principles. As mentioned, this means if you comply with one, generally you’ll be in pretty good shape to meet the requirements of others.
The NZ Privacy Act serves as the primary privacy legislation in Aotearoa, encompassing the requirements and provisions that NZ businesses must follow. It does share common principles with the GDPR, and NZ businesses that comply with the Privacy Act 2020 are likely to have a strong foundation for privacy compliance.
As for the GDPR, the regulation primarily applies to EU businesses and organisations processing personal information of EU residents. Across the globe, you may still fall under its scope if:
- You offer goods and/or services to EU residents: If your NZ business providers goods or services to individuals residing in the EU, GDPR may apply, regardless of whether payment is involved.
- You monitor the behaviour of EU residents: If your business monitors the online behaviour of individuals residing in the EU, such as through targeted advertising or tracking website visits, the GDPR may still be applicable.
Determining GDPR compliance obligations in NZ
The EU can seem like worlds away from little ol’ NZ, but if your business is subject to the GDPR, you will need to consider the following:
- Data protection principles: Aligning with the GPDR’s core principles, your business must ensure lawful, fair and transparent processing of personal data, as well as data accuracy, minimisation, storage limitation, and security.
- Lawful basis for processing: Determine if you can process personal data based on consent, fulfilling contractual obligations, complying with legal requirements, or pursuing legitimate interests.
- Rights of data subjects: Ensure you’re aware of the rights granted to individuals under the GDPR, including the right to access, rectification, erasure, restriction of processing, and data portability. It’s essential if you’re in scope to implement processes to handle data subject requests.
- Data breach notifications: If a personal data breach occurs, your business must have the mechanisms in place to detect, respond to, and report breaches to the relevant authorities and impacted individuals within the specified timeframes.
- Internal data transfers: When transferring data to countries outside of the EU, you must ensure the appropriate safeguards are in place to protect the data, such as using standard contractual clauses or binding corporate rules.
While not all NZ businesses are subject to the GDPR, those that handle the personal information of EU residents should carefully consider their compliance obligations. Remember to seek legal advice where necessary, stay informed about updates to the GDPR, and prioritise data protection to maintain compliance and foster trust with customers.
Interested in how we can help your business with privacy readiness? Reach out to us here.