Reading time: 6 minutes

When your business operates online, a key international data privacy law is the European Union’s (EU’s) General Data Protection Regulation (GDPR). As a small New Zealand startup, you may think that this law may not apply to you. However, this may not be the case. Therefore, this article will explain whether the GDPR is relevant for your small New Zealand startup.

What is the GDPR?

The GDPR is a network of data privacy regulations developed by the EU. It came into effect on 25 May 2018 and provides a set of principles aiming to protect EU residents’ personal data and privacy rights. These principles include:

  • legitimate data processing, which means that data processing must be lawful, fair, and transparent;
  • purpose limitation, meaning that you can only collect personal data for an explicit and legitimate legal purpose;
  • data minimisation, which requires that you only collect the personal data relevant to your purpose;
  • data accuracy, mandating that you should delete or correct inaccurate data and keep data up to date where appropriate;
  • storage limitation, meaning that you cannot store personal data for longer than you need; and
  • integrity and confidentiality, which implies that you must keep your data secure.

Anyone dealing with the personal data of EU residents will need to comply with these principles and the rest of the GDPR.

The GDPR and Your Startup

If you are setting up a startup in New Zealand, you may think that a privacy law on the other side of the world may not apply to your small business. However, the scope of the GDPR is far-reaching. Therefore, if you do business in the EU, it will likely apply to you. In particular, the GDPR can apply to your startup, regardless of your physical location, if you:

  • provide goods or services to customers in the EU; 
  • have offices or a trading presence in the EU; or
  • monitor the behaviour of people in the EU.

For example, if your website collects cookies that monitor its visitor’s behaviour, there is the potential for some of these users to include EU residents. Therefore, even in this small way, the GDPR can apply to your startup.

These rules apply to anyone who comes under their specifications, ranging from individuals from massive body corporates. Consequently, both ends of the spectrum have been at the receiving end of the GDPR’s fines, which can include fines up to 20 million euros, or four per cent of your annual global turnover, whichever is higher. Therefore, if your startup does business with people in the EU, you need to account for the GDPR to avoid these hefty penalties.

Not only that, if you wish to engage EU partners or investors with your startup, they themselves will be looking to avoid liability under the GDPR. If your startup is not GDPR compliant or does not have a compliance plan, they may see that as a risk they are not willing to take.

GDPR Compliance

To comply with the GDPR, you need to follow its rules for handling personal data. This term refers to any information directly or indirectly related to an identified or identifiable person, which includes:

  • names;
  • IP addresses;
  • physical addresses;
  • photos; 
  • financial information; or
  • any unique identifiers.

There is some overlap between New Zealand’s own privacy law in the Privacy Act and the GDPR. The breadth of personal information that both laws apply to is similar, except that the GDPR requires that you pay particular attention to protecting certain kinds of personal data, such as biometrics or personal data revealing religious views.

Notably, some of what you do to comply with New Zealand law will also apply to the GDPR. However, you will need to account for the areas that the Privacy Act does not cover. This compliance is an ongoing process that you need to review regularly to ensure that you are processing personal data legally within the GDPR’s guidelines.

For example, while both laws require consent in various parts of information collection, the GDPR provides specific rules for determining consent. As such, under the GDPR, people must freely give consent that is specific, informed, and unambiguous. 

Potential Issues for Your Startup

The GDPR is a complex set of laws, and ensuring compliance may be difficult when you are a small team that is just getting started. Dealing with the fallout of breaching the GDPR can also be disastrous for a growing business. However, implementing measures to handle GDPR compliance from the beginning means reducing the risk of limiting growth in this way later on. If you want to expand internationally, you will have to deal with the GDPR eventually, simply due to its wide reach. 

Therefore, you must weigh up the options that best suit your growth plan. Notably, increased data protection and security will lead to other benefits for your business outside of GDPR compliance, so there are various aspects to consider.

Key Takeaways

If your startup does business with EU residents or monitors their behaviour, then the GDPR will likely apply to you. However, compliance can be difficult for a small team such as your own, affecting your decisions to expand into the EU at an early stage. If you would like more information or help with your startup’s GDPR compliance, LegalVision’s data, privacy, and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0800 005 570 or visit our membership page.

Frequently Asked Questions

What is the GDPR?

The General Data Protection Regulation (GDPR) is a network of laws that aim to protect the privacy and personal data rights of European Union (EU) residents. Personal data is anything that can identify a living person.

Does the GDPR apply to my business?

If your business deals with the personal data of EU residents, then the GDPR may apply to you. For example, if you sell goods or services to EU residents, you will deal with information like names and addresses. Therefore, you need to comply with the GDPR.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards