New European data privacy rule could cost 4% of turnover


06 April 2018

Daniel Dellemann / Business Development Manager and Market Analyst / NZTE Europe

New Zealand companies doing business with Europe must comply with new rules over the way they manage the personal data of European Union (EU) residents. 

The rules take effect on 25 May 2018 under the EU’s General Data Protection Regulation (GDPR). 

All companies and organisations that collect, store or use personal data of EU residents need to comply by 25 May, or risk penalties of up to 20 million Euros or 4 percent of global annual turnover. 

Compliance is required regardless of whether a company owns the data, or is just a service provider processing data for another company. 

New Zealand companies intending to launch their services in the EU need to be GDPR-compliant before contracting with EU companies.

EU partners expect New Zealand companies to have a compliance plan in place before GDPR takes effect. 

GDPR rules range from using plain language when communicating about data collection, to giving people the ‘right to be forgotten’, to keeping only data necessary for a specific purpose. 

Some companies including Facebook and Google have published descriptions of how they are complying with GDPR. 

How can my company prepare for GDPR?

We recommend you seek professional legal advice to prepare for the changes.  

For an overview of how GDPR affects SMEs, see the European Commission's website.

For an overview of how GDPR affects New Zealand businesses including a comparison of NZ Privacy Law v GDPR, see Russell McVeagh's Information Sheet For GDPR

Here are some actions you may want to consider:
• Analyse what, how and why you process data. Have a look at what kind of data sits in your CRM as a lot of it may be irrelevant or outdated.
• Assess how GDPR could affect your business. For example, some contracts may need updating and you may need to request consent from people who receive your newsletter.
• Consult with relevant stakeholders such as customers, data controllers and data processors. This relates to the above point: do you need to update contracts or request consent?
• Create processes: implement changes, set clear responsibilities and review your processes on a regular basis.
• Ask, how can your company show you are compliant? There are many ways to do this, for example by updating your website privacy policy.
• Data security: there are a lot of data security systems available. But as a starting point, you could review your passwords and encryption settings.

What is the purpose of GDPR? 

To create one coherent data protection framework to protect the rights of people living in the EU. 

Are GDPR regulations for companies with operations in the EU different to those without operations in the EU?

The short answer is the same rules apply regardless of where your operations are based. GDPR does not just apply to businesses and organisations with operations in the EU, but to all those collecting, storing or using the personal data of EU residents.

If you collect, store or use the personal data of EU residents and do not have a direct presence in the EU, you will be required to designate a representative in the EU to carry out compliance on behalf of your company.

Do companies collecting, storing or using the data of United Kingdom (UK) residents have to meet GDPR regulations, given the UK plans to leave the EU under Brexit?

Yes, as the UK is part of the European Union at the time GDPR takes effect it is included. It is also expected that the UK will adopt GDPR into its domestic law after leaving the EU, meaning an identical or substantially similar regulation will apply.

This article has been updated from an article published on 2 October 2017.


Related reading


E-commerce opportunities in Europe

26 July 2018

The European online retail market is vast, with an estimated value of NZ$1 trillion plus. Of the region’s 500 million consumers, nearly 60 percent shop online.


Guide to entering the European market

10 October 2017

Our Entering the European Market guide will help you understand if the EU is the right market, how to pick the right countries within the EU, and what to be aware of.


Collaborating for success in China

20 September 2017

A critical stage in international growth for any company is the point when they decide establish a legal entity in-market and put their own people on the ground. One way that New Zealand businesses can mitigate the risks at this stage in their international growth is through collaboration.

News feature

Air New Zealand: Redefining the journey

Air New Zealand acts as a gateway to one of the world's most inspiring destinations and it brands itself to match.