GDPR: NZ Businesses Are Affected – What Steps You Need to Take!
Dallas Rabot
GDPR (General Data Protection Regulation) is a new set of European Union data privacy laws that goes into effect on the 25th of May 2018 and will affect many New Zealand businesses. The laws govern how companies collect, store and use personal information.
Organisations who don’t comply could be hit with large fines up to 4% of a company’s global annual turnover or €20 million.
You might still be thinking that these EU laws only affect Europe but not New Zealand – well it’s a lot more complicated than that. In fact, even if you use something common such as Google Analytics for your website tracking – you may lose website data that is 26 months old or more if you don’t take immediate action steps.
Why & How New Zealand Businesses are Affected by GDPR
GDPR applies to all EU residents – even if the businesses or websites serving them are based outside of Europe.
In practice, this means that companies in New Zealand and around the globe will have to comply with GDPR if they wish to continue serving European users, otherwise they would have to build separate platforms and systems just for Europe – which is not feasible and would probably not work well with the internet’s intertwined nature.
You might have already come across many instances of businesses taking action steps towards complying with GDPR such as new privacy policies, terms & conditions or consent forms being rolled out from Microsoft, Google, Spotify, Quora, Mashable, Udemy, Discord, GoDaddy, LinkedIn, and more.
The end result of the GDPR will most likely mean that users will have more transparency and control over how their data is collected and used whether they reside in Europe or not.
Explicit Consent – which must be obtained from European users when collecting data on them. The user must opt-in and voluntarily agree to a clear statement that explains how their data is being used.
Privacy Settings – users by should be given the strictest privacy setting by default and will then have to manually make changes.
Access to User Data – Users will have increased rights over their data, and will be able to access where, why and how their data is processed (companies are expected to honour requests within 4 weeks).
‘The Right to Be Forgotten’ – which means that EU residents can have their data completed deleted from systems if it is no longer relevant.
Five GDPR Action Steps NZ Businesses May Need to Take
As an NZ organisation serving users around the globe it may be best to do the following tasks:
Make Google Analytics GDPR Ready
Google emailed all analytics customers last month telling them that they have to “review these data retention settings and modify as needed” before 25th of May 2018 when GDPR becomes enforced. You may have logged in and seen this pop-up:
This is essentially Google putting the GDPR compliance requirement on its users (website owners) and not on themselves. It also means that Google will automatically delete all data that is older than the default setting (which appears to be 26 months).
If you want to retain your data it’s best to change the setting now so that data does not expire.
Update Your Privacy Policy
This should explain how you collect and use data, and which third party service providers you share that info with. It should also cover processes in which users can obtain and delete any stored data you have on them.
Add a banner to your website
If you use cookies, remarketing ads or tracking codes such as Facebook Pixel you’ll need explicit consent – you might want to add a banner or pop-up that links to your terms and conditions for more info and has the user clicking an accept button. A good example of this would be the new cookie banner that IGN has recently pinned to their website:
Email Marketing Opt-in
If you have newsletters going out make sure that people on your mailing lists have checked a box agreeing to receive those emails.
Selling Products to EU Residents
Make sure you only collect absolutely necessary info upon check-out or obtain explicit approval for the additional info you collect and state how you utilise it.
This is by no means a complete list of GDPR regulations that may apply to New Zealand businesses, however they are most probably the most common issues that will apply to the majority.
Dallas is Pure SEO's Head of Product. He has over a decade of local and overseas experience in Search Engine Optimisation. He previously co-founded a web & mobile app development company and holds multiple industry-leading SEO certifications.
Dallas is interested in the intersection between digital media & business. He holds a Bachelor of Arts degree from the University of Auckland - a Film, TV & Media Studies major, and a Diploma in Business from Auckland University of Technology.