‹ View all blog articles

What is GDPR and what are the compliance requirements?

Updated: Apr 27, 2025

Author:

What is GDPR?

The General Data Protection Regulation (GDPR) is a law that came into force in the European Union (EU) and European Economic Area (EEA) on 25 May 2018. Its goal is to give people more control over their personal data and standardise regulations for organisations that collect, store, and use personal information.

How does this impact my business?

If your business does NOT target or deal with customers or website visitors in the EU or EEA:

You do not need to worry about GDPR compliance.

But:

It’s still best practice for all NZ business websites to have a clear privacy policy explaining what data you collect, how you use it, and how users can contact you.

GDPR does affect you if you:

  • Advertise online to people in the EU/EEA
  • Collect data (like emails or orders) from EU/EEA residents
  • Sell products or services to customers in the EU/EEA

If any of this applies, seek professional legal advice on compliance.

Countries in the EEA include:
United Kingdom
Ireland
France
Spain
Italy
Germany
- see the full list of EEA countries

Advice to NZ Customers

If your business and website is not engaging with customers in the EEA, then you don’t need to worry.

Given the increasing attention regarding data collection, it would however be advisable for all websites to publish a clear privacy policy detailing how data is collected and managed and for what purposes is it used.

The following website provides a good Privacy Policy Generator.

What Activity May Mean You will need to comply with GDPR requirements?

  • online advertising within the EE
  • collecting customer information from people within the EE such as newsletter lists, enquiries etc
  • ecommerce sales to customers within the EE

If the above applies to you, then you should seek legal advice.

You will require an updated Privacy Policy to be published on your website, that details how you collect and manage website visitor data. You will also require a suitable consent notification to be presented to web visitors.

Note that if you have integration between your website and other platforms such as email marketing and CRM systems, you will also need to make sure that your customer data management within those platforms is also compliant.

Google Analytics and GDPR

Some years ago, Google introduced demographic and affinity visitor data profiling in Google Analytics.

The participation requirements for this were simply that the analytics owner had to provide a published web policy that visitor data is collected and may be used in aggregate.

It is Google’s policy on this that is changing to bring Google Analytics into compliance with the GDPR.

The notice customers have received from Google relates to the expiring of all personalised website visitor data after 26 months effective from May 25th 2018. This data will be deleted monthly on a rolling basis.

This data excludes normal data such as sessions and user engagement metrics, but does include user level-data and event-level data collected using cookies for use in Google’s advanced advertising features such as remarketing.

Google is providing you the opportunity to manually change the default data collection settings in Google Analytics so the data does not automatically expire. If you do make this change and you do fall within the GDPR regulations, then the onus will be on you to make sure you comply with the GDPR requirements for your Google Analytics account.

Google has also stated that it will soon release a new feature enabling website visitors to delete their own data.

Obtaining web visitor consent

Google has published a website offering advice to publishers and advertisers on how they can comply with the GDPR. This includes advice on how to manage and implement consent notices to website visitors.

http://www.cookiechoices.org/

We will be updating this article as more information comes to hand. If you are a NZ business, please contact us if you have any questions.

Quick NZ Business Checklist

No EU/EEA customers? Focus on having a good privacy policy.

Engage with EU/EEA residents? Seek legal advice and add proper consent banners.

Unsure? Always better to be transparent and clear with your website visitors about data collection.

Fully certified, year after year.

Our reputation goes hand-in-hand with our team’s dedication to best practice. As a registered Premier Google Partner, our team refreshes our certifications every 12 months — A tradition we started over a decade ago. To stay ahead, we are always looking forward to upcoming certifications for online advertising, website development and search engine optimisation.