Even businesses without a physical presence in the EU may have to comply with the new rules if they:

  • sell goods or services to a person who lives in the EU; or
  • monitor the behaviour of a person who lives in the EU.

The critical factor is the location of the individual (data subject) not the location of the data processor or data controller. We don’t really know how the new regulations will be monitored in countries outside the EU.

So here are 10 Key steps to help NZ marketers comply with GDPR

  • You must have consent to collect personal information. You will need to record how you obtained consent
  • Individuals have the right to access their data. You should plan how to handle any access requests
  • Individuals have the right to have inaccuracies corrected. Already required under NZ legislation
  • People can have their details erased. The right to be forgotten - this doesn’t seem practical, but it's in the regulations
  • Consumers can opt out of Direct Marketing. This is not in NZ law, but is best practise
  • Individuals can prevent profiling and automated decision making. Makes programmatic advertising a problem
  • People have the right to request data portability. Organisations must be prepared to securely transfer data
  • You must have legal basis for processing personal data. Similar to NZ Privacy Principle 1
  • It will be Mandatory to report a Data Breach. Also in the new NZ Privacy bill, you’ll need to report any personal data breach to the Privacy authority
  • Children’s Data. You will require systems in place to verify individuals’ ages and to gather parental or guardian consent

Download these steps as a PDF 

If you need help with Privacy queries or any other legal/regulatory issue affecting marketing just email contactus@marketing.org and our compliance consultant Keith Norris will help. It’s a free service for corporate members of the Marketing Association.

Please Note: This does not constitute formal legal advice. It is intended to convey what the Marketing Association considers best practice. If you are in any doubt, we recommend you seek specialist legal advice.