GDPR in five minutes


General Data Protection Rules - a five minute guide

Please note - this does not constitute legal advice, we recommend you speak to your lawyer if you are unsure.

GDPR effects anyone (any business) who collects and processes data of EU citizens, regardless of where your business is located or how big your business is. This overview is aimed at small business trading predominantly in New Zealand that collect data but not as a core function of their business (e.g you have a wine club, newsletter, cookies on your website, membership area etc).

Lawful Basis:

You need a lawful basis for collecting and using personal data. 

  • With the individual’s unambiguous consent   
  • Contractual obligation
  • In the legitimate interest of the data controller
  • In the vital interests of the data subject
  • In the public interest
  • In compliance with legal obligations

You can read more here

Privacy Policy:

Your Privacy Policy needs to explain in clear and simple language how you are collecting and using the personal data of EU citizens, and who they can contact if they wish to review, change or delete their data.

Here is good guide to get you started

Data Processing Agreement:

If you use third party data processors (Stripe, PayPal etc.) you need a contract with them that addresses the nature and purpose of the processing and everyone's responsibilities and liabilities. This contract is generally referred to as the Data Processing Agreement (DPA).

If you have Google Analytics you need to accept the Data Processing Amendment in your Analytics Account settings, you can read more here.

The GDPR also requires companies to document their data processes but this is not mandatory for companies with fewer than 250 employees.

So - where does that leave you?

As a starting point make sure you have documented your decision on which lawful basis applies to your business - this will help you demonstrate compliance. Also make sure that you have included information about both the purposes of the processing and the lawful basis for the processing of your customer's data in your privacy notice. Fianlly make sure and you have a Privacy Policy on your website.

We can offer technical assistance for changing settings & content, but we cannot offer legal advice.