The Strongroom

Why every New Zealand business should be paying attention to GDPR

18th April 2018


Written by Jason Wild, Information Security Consultant

Subscribe to any information security-related newsfeed, and you could be forgiven for suffering from GDPRF (General Data Protection Regulation Fatigue).

GDPR is due to come into force on 25th May this year and - to quote the official website - “Replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Phew! Quite a mouthful.

You might be tempted to dismiss it as not applicable to your New Zealand-based business, but the thing is, it doesn’t just apply to EU organisations. Businesses across the globe are scrambling to understand if GDPR applies to them, and if so, what they should do about it.

This infographic is a good example of many similar resources designed to help you to understand if your organisation falls under the shadow of GDPR: 


Image source: DLA Piper NZ


The short version is, ‘If you handle personal information belonging to EU citizens, regardless of where they or you are located, you are subject to GDPR.’ Which is pretty far-reaching, and cause for many New Zealand organisations to start feeling a little uncomfortable, if not yet panicky.

 Of course, as with anything new, there is the inevitable hype and misunderstandings driven by the media, both traditional and social. Here are the most common three:

“You’ll be fined 4% of total global revenue for GDPR violations”

It’s important to understand that 4% is the maximum possible penalty and fines of this magnitude would probably only be applied in the worst cases, where organisations have been demonstrably negligent with regard to the security of personal information. Also, although GDPR will apply to all EU member states, it’s unlikely that all of those states will apply the rules equally – Germany is likely to be pretty tough, the Republic of Ireland probably less so.

“GDPR will enforce mandatory notification of all security breaches”

Article 33 of the regulation actually says that breaches only need to be notified if they affect personal data, and even then, only if the breach is likely “to result in a risk to the rights and freedoms of natural persons”. So if you’re breached but the only thing affected is your company IP (for example), you don’t need to report it.

“GDPR is much more stringent than New Zealand regulations”

In fact, it’s not so different from our existing Privacy Act, which has been granted “adequacy status” with the GDPR. Of course, this may very well change in the future, but for now, if you’re complying with local regulation, your privacy safeguards are adequate under GDPR.

There is one grey area that we haven’t been able to resolve as yet: whilst the GDPR may apply to NZ business, will it be legally enforceable in New Zealand? The GDPR is an EU law, whereas we (obviously) operate under New Zealand law. How, or even if, such a law can be enforced across jurisdictions is something that a lawyer will need to answer. We’ve asked but haven’t had an answer yet (we’ll post an update if we get one).

So what’s Origin Security’s official advice? If you deal with EU citizens and hold or handle their data in any way, you should expect GDPR to apply to you. Consult your lawyer or in-house legal team to get a definitive view.

GDPR matters because it’s a sign of the times

Cut through the noise, and the key message to take away from the introduction of GDPR is that the issue of information security is growing in importance by the day. Regardless of whether or not your organisation is directly affected by GDPR, you need to prioritise securing your customers’ and your company’s data, today.

With mega-breaches being reported all the time, regulation is only going to get tougher. Closer to home, mandatory breach notification legislation will soon be passed in New Zealand, and our government is set to undertake a comprehensive refresh of our approach to cyber security. The earlier you start addressing your own security provisions, the better.

Origin Security can help you to assess your risks and put a programme of work in place to mitigate any issues you may have. Read more here.

Jason Wild

Information Security Consultant

Jason provides information security consulting as part of our vCISO offering. He has 29 years’ experience in the IT industry, with over 20 years in management and consulting roles.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.