The General Data Protection Regulation (GDPR) adopted by the European Union (EU) came into effect on 25 May 2018 and applies globally. GDPR establishes a consistent set of requirements to protect EU citizens from privacy and data breaches. Any New Zealand entity that collects, uses or discloses personal information of EU citizens must comply with GDPR. Not complying could result in a fine of up to the greater of 4% of your organisation's global annual turnover or €20 million.

New Zealand situation: the Privacy Act 1993 controls how New Zealand-based agencies collect, use, store and disclose 'personal information'. The legislation implements a principles-based system administered and enforced by the Privacy Commissioner; there's more information on that here. A New Zealand-based entity could therefore be subject to both our own Privacy Act and GDPR. While there is significant overlap between GDPR and our own legislation, GDPR has a higher standard of compliance and more specific requirements.

As such, continuing with your Privacy Act compliance regime in relation to EU information is not likely to satisfy the GDPR requirements.

If you process EU information, we recommend you undertake a privacy review/impact assessment to ensure that your operations, policies and processes are compliant with the GDPR. There is more information and tools available here at the Privacy Commission.

Even if GDPR does not apply to you, this is a good opportunity to review your current operations, policies and processes.