Reading time: 6 minutes

When you set up an online store, anyone with an internet connection can access it. This is great for reaching new customers and widening your potential market. However, this also means that when you engage with overseas customers, the laws of the area they live in may apply to you. One of these laws is the European Union’s (EU) General Data Protection Regulation (GDPR). This is a broad network of laws that protect the data of people living in the EU, and it may apply to your business if you engage with customers in the EU. This article will explain what GDPR is and how it may affect your business.

What Is the GDPR?

The GDPR is a set of EU regulations that govern how entities (such as your business) handle the personal data of people living in the EU. This is a data framework applied across and outside of the EU since 25 May 2018. Its purpose is to protect this personal data and allow people to control how agencies use their personal data.

Like NZ privacy law, the GDPR defines personal data quite broadly as information that identifies an individual (or data subject). Examples of such data include:

  • full names;
  • video or image recordings;
  • IP addresses;
  • location data;
  • employment details;
  • email addresses; and
  • financial information.

Also similar to NZ privacy laws, the GDPR operates on principles aimed to protect privacy. In your business, you should seek to follow these principles. They include (table):

 

Lawful Data Processing: 

You must collect, store, and use customer data (also called processing) fairly and transparently. You must have express consent from the customer to track their information.

Legitimate Purpose:

You must have a proper purpose for processing data, which you need to make clear to the individual in question. You should make this information easily accessible to your customers.

Data Minimisation:

Only collect and process data needed for your express purpose, and do not go outside of this purpose.

Accuracy:

Make sure the data you process is accurate and up to date. Give your customers the chance to correct it if they would like.

Storage Limitation:

Only store personal data for as long as you need it. Individuals covered by this law can ask you to erase their data in certain situations or restrict the kind of data processing you do.

Integrity and Confidentiality:

You need to protect the data you process, ensuring security and confidentiality.

Accountability:

As the data controller, you need to prove your steps for compliance with the GDPR.

Does the GDPR Affect My NZ Business?

The GDPR applies to entities established in the EU that deal with processing EU personal data. But, if your business processes data of people living in the EU, then the GDPR will likely also apply to you. This is true even if you do not have a physical presence in the EU. You should make sure that you are GDPR compliant if your business processes data relating to the:

  • selling of goods or services to EU residents; or
  • monitoring the behaviour of EU residents.

Tip: The GDPR also imposes some record-keeping obligations. But, if your company or business has fewer than 250 employees, then these obligations may not apply.

Both of these classifications are quite broad and may encompass your business operations. Examples of such operations include:

  • EU customers seeing and paying for products on your online store;
  • web analytics that process the personal data of EU residents.

For example, even if customers cannot place orders through your website, if you collect cookies from visitors, then that could include the personal data of EU residents.

Note: EU data protection authorities can implement severe fines for GDPR breaches, up to €20 million, or 4% of your annual worldwide turnover (whichever is higher).

Tips for GDPR Compliance

There is a lot of overlap between the GDPR and current NZ privacy law. So, the measures you need to take to comply with NZ privacy law will be similar to those you would engage for the GDPR. The EU has useful resources on their website about compliance. What you need to do to comply will vary depending on your unique circumstances, so you should seek legal advice to ensure you meet the requirements applicable to your business. 

Here are some steps to take when considering your GDPR compliance requirements:

  • assess the scope of your business’s online activities and whether EU residents may engage with your website;
  • review how you collect data. Do you have customers’ express consent to process their data? You can gain this with a pop-up notice telling customers you track their data when they enter your website, and they need to confirm their acceptance on this notice;
  • consider why you are collecting data. What is your purpose? Can you give a legal reason, like needing it to perform a contract?;
  • review any existing IT or cybersecurity policies to make sure they are up to date;
  • make sure any data you process is encrypted and that you take other security measures as well;
  • appoint a Privacy Officer to manage your data collection obligations; and
  • if there is a serious privacy breach at your business, report it.

Key Takeaways

If you engage with EU customers or monitor EU residents’ activity on your business’s website, then the GDPR will likely apply to you. Take steps to ensure that you are GDPR compliant to avoid liability. If you would like more information or guidance around your GDPR compliance, contact LegalVision’s New Zealand IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

Does the GDPR apply in NZ?

If your business or organisation based in NZ is likely to deal with the personal data of EU residents, then the GDPR will apply to you. You do not need a physical presence in the EU to be subject to these legal requirements.

What does GDPR compliance require?

What you need to do to comply with the GDPR will depend on your business. But, it generally means keeping your customers’ personal information safe, only taking what you need, and making sure you have your customer’s express consent to collect their personal data.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards