GDPR in five minutes
General Data Protection Rules - a five minute guide
Please note - this does not constitute legal advice, we recommend you speak to your lawyer if you are unsure.
GDPR effects anyone (any business) who collects and processes data of EU citizens, regardless of where your business is located or how big your business is. This overview is aimed at small business trading predominantly in New Zealand that collect data but not as a core function of their business (e.g you have a wine club, newsletter, cookies on your website, membership area etc).
You need a lawful basis for collecting and using personal data.
- With the individual’s unambiguous consent
- Contractual obligation
- In the legitimate interest of the data controller
- In the vital interests of the data subject
- In the public interest
- In compliance with legal obligations
Data Processing Agreement:
If you use third party data processors (Stripe, PayPal etc.) you need a contract with them that addresses the nature and purpose of the processing and everyone's responsibilities and liabilities. This contract is generally referred to as the Data Processing Agreement (DPA).
If you have Google Analytics you need to accept the Data Processing Amendment in your Analytics Account settings, you can read more here.
The GDPR also requires companies to document their data processes but this is not mandatory for companies with fewer than 250 employees.
So - where does that leave you?
We can offer technical assistance for changing settings & content, but we cannot offer legal advice.