New Zealand businesses who deal with personal data of EU citizens may need to upgrade their data protection measures to more closely match the new EU rules.

The EU’s General Data Protection Regulation (GDPR) comes into force in May 2018. The new data protection regime provides enhanced protection to EU citizens in respect of how their personal data is used.  Not only does the GDPR apply to all EU member states, it also applies to data processing outside the EU where that processing relates to the offering of goods or services to, or monitoring the behaviour of, EU citizens.  

New Zealand has been formally recognised as having an ‘adequate level’ of privacy protection to meet European standards.  As a result, provided that New Zealand businesses comply with the New Zealand Privacy Act, they can lawfully transfer personal information from the EU to New Zealand.  

But this could change.  

If New Zealand is to maintain this “safe” status, then its privacy laws and practices will need to continue to meet the EU’s requirements.  As a result, bringing our privacy laws into line with the GDPR is likely to be a key consideration in the planned reform of the New Zealand Privacy Act.  The Ministry of Justice expects to consult privacy experts on a new Privacy Bill later this year, after which the draft bill will be introduced into Parliament.  The bill is expected to include stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offences and increased fines.

So what does this mean for New Zealand businesses dealing with personal information of EU citizens?  By gradually starting to adopt privacy practices that comply with GDPR standards you can help ensure your business remains compliant and thereby reduce compliance costs later down the track once the proposed Privacy Act overhaul / changes come about.