Data protection – What is happening overseas and the implications for NZ?

This is article 2 in a three-part series on data protection and the implications for open banking:

EU General Data Protection Regulation

The General Data Protection Regulation of the European Union (GDPR) came into force on 25 May this year and is the biggest shake up to European data privacy laws in 20 years.

Critically, a business anywhere in the world (including New Zealand) will be subject to the GDPR where:

  • it processes or controls personal data of individuals residing in the Union; and
  • the processing activities are related to offering goods and services to, or monitoring the behaviour of, individuals in the Union.

Banks with operations, business or potential business within the Union should turn their minds to whether they fall within the ambit of GDPR.  It is important to undertake this analysis, as the compliance requirements and sanctions under GDPR are much more onerous than those that apply under the current Privacy Act (and even from the law that is proposed under the Bill).

There are a number of areas in which the GDPR deviates from New Zealand privacy law, and some of the most marked have implications for systems and processes used within the organisation.

In particular, and this may come with a price tag.  Banks will need to have necessary technology solutions to be able to comply with the following requirements:

  1. Mandatory breach notificationIn general terms the changes that are discussed above with respect to mandatory breach notification under the Bill would need to be accelerated for GDPR compliance.
  2. ConsentConsent under GDPR (for example to marketing or for profiling purposes) requires a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individual’s authorisation.  Silence, pre-ticked boxes, or inactivity is not enough to constitute consent or deemed consent.  The systems that support existing consent gathering may need to be reconfigured, upgraded or replaced to cope with much more sophisticated consent gathering requirements.  Agencies will need to be able to produce evidence that consent has been obtained, and therefore the use of reliable systems are a must.
  3. The right to be forgottenSince personal data must be erased on request of the individual, unless there are compelling reasons, systems need to be capable of finding and erasing data.  Banks may also need to consider the extent to which and how this can be achieved in respect of back-up and archive data.  This may be burdensome where data is held in disparate systems.  It may be that some but not all data about an individual will need to be erased, which means further complexity.
  4. Data portabilityThis means that on request an individual is entitled to receive a copy of all personal data held about them in a structured, commonly used and machine-readable format.  Similar to the right to be forgotten requirement, systems need to be capable of finding and gathering all of the relevant data and (in what is possibly the more complex task, at least as an initial exercise) mapping and structuring that data for use elsewhere.

In terms of processes, the “privacy by design” requirement of GDPR requires an agency to implement measures to show that they have considered and integrated data protection into their processing activities.  Whilst this may not be a legal requirement for New Zealand agencies unaffected by GDPR (even under the proposals in the Bill), “privacy by design” is just an example of good planning and it is likely that banks will be doing this in any case.

Similarly, where, for example, a bank wishes to leverage personal data for a novel purpose or commercialise it in some way by providing it to a third party, it will be necessary for the bank to undertake a privacy impact assessment (PIA), at least in certain higher risk situations.   Taking the opportunity to undertake a PIA is a useful exercise, particularly when it comes to considering whether data that appears anonymous could actually be lead to the re-identification of the individual once it is combined with other data collected from elsewhere.  Again, undertaking a PIA reflects best practice and banks should be familiar with this.

Like this article?

This is article 2 in a three-part series on data protection and the implications for open banking:

Who can help

Richard Wells

Partner - Corporate and Commercial

Richard is a commercial lawyer with particular expertise in technology, media and telecommunications law, intellectual property, commercial contracting and sport.

He advises clients on issues arising at all stages in the product lifecycle and is an expert legal draftsperson and troubleshooter.  Richard is sought after to help establish new ventures and to commercialise new technology both in New Zealand and overseas.

As well as his technology practice, with a background in commercial and IP law, Richard is recognised as a leading Sports and Events lawyer ranked as Band 1 by international research directory Chambers Asia Pacific. He has broad experience working with event hosts, sponsors and stakeholders to deal with issues arising in relation to major events in New Zealand.

Richard Wells


Corporate and Commercial

P: +64 9 353 9908
M: +64 21 244 0238

Tom Maasland

Partner - Corporate and Commercial

Tom is a Partner in our Technology, Media and Telecommunications (TMT) practice – a practice which has been recognised by international legal directory, Asia Pacific Legal500, as Tier 1 for TMT in New Zealand.

Tom advises on the full gambit of technology law issues – from advising clients on major technology transformation programs and large scale technology procurement, through outsourcing and managed services and “as a service” arrangements, to the more run of the mill software licensing and support agreements. Tom also advises on emerging technology areas such as cyber security, artificial intelligence, blockchain and smart contract related advice.

To compliment his “black-letter” law expertise developed in private practice in NZ and the UK, Tom is able to draw on deep commercial acumen following significant in-house experience at Spark NZ (where he was Assistant General Counsel) and at Telefonica O2 in the UK and Ireland.

Tom has been ranked by Chambers & Partners as a leading TMT lawyer since 2013 where sources say “He is a very good communicator, able to articulate what can be a complex concept in a way that is easily understood by various parties.”  The Asia Pacific Legal 500 ranks him a leading individual in TMT, where sources describe Tom as “very client-focused, passionate and proactive.”

Tom Maasland


Corporate and Commercial

P: +64 9 353 9875
M: +64 27 453 6511

Jeremy Muir

Partner - Financial Services

Jeremy is a specialist financial services and investment lawyer. He works with retail and wholesale fund managers (including KiwiSaver and superannuation), trustee companies, derivatives issuers, FinTech (including crowdfunding and peer-to-peer lending platforms), insurers and start-ups.  He is also one of New Zealand’s leading lawyers advising on cryptocurrencies, initial coin offerings (ICOs) and digital tokens – working closely with the Financial Markets Authority and other regulators in relation to the treatment of coins, tokens, schemes and exchanges under New Zealand law.

Jeremy advises on all aspects of the Financial Markets Conduct Act 2013 (FMCA), in particular managed investment schemes and all required licences. He also advises on all other financial services legislation (including financial service provider registration, non-bank deposit takers (NBDTs), insurance prudential supervision, financial advice and broking).

Jeremy enjoys working with alternative assets and structures across private equity, venture capital, hedge funds, property investment vehicles, marinas and innovative platforms and products. He is a limited partnerships expert, having established numerous private equity and venture capital funds, including negotiating with significant cornerstone investors such as the New Zealand Venture Investment Fund (NZVIF), New Zealand Super Fund, ACC and Maori investors.

Jeremy also spent several years working in offshore funds for a major offshore law firm, and is admitted to the bar in both Guernsey and the Cayman Islands.

Jeremy Muir


Financial Services

P: +64 9 353 9819
M: +64 21 625 319

Jennifer Hambleton

Senior Associate - Dispute Resolution and Litigation

Jennifer is a member of our Dispute Resolution team with strong experience on contentious and non-contentious competition and consumer law matters and general commercial litigation.

Her expertise includes competition and consumer law, contract, franchising and corporations law disputes.

Jennifer has extensive experience as a commercial litigator. She has represented commercial and government clients on a number of large complex disputes in the Federal and Supreme Courts in Australia, the Australian Competition Tribunal and the High Court and Court of Appeal in New Zealand. Jennifer has particular expertise acting on competition enforcement actions, consumer law actions, actions for breaches of directors duties, contractual disputes and negligence actions.

Jennifer has advised clients in the technology and telecommunications, insurance, gambling, airline, accommodation, FMCG, grocery, pharmaceuticals and energy industries on a range of commercial issues. This includes advising clients on the implications of commercial terms such as warranties and indemnities, termination rights, restraints of trade and confidentiality, compliance with the Commerce Act, Fair Trading Act and Companies Act and product liability issues.

Jennifer Hambleton

Senior Associate

Dispute Resolution and Litigation

P: +64 9 353 9794
M: +64 27 541 0994

June Hardacre

Senior Associate - Employment

June has broad experience in all aspects of both New Zealand and English employment law. June regularly advises on senior executive appointments and terminations; restraints of trade and protection of confidential information; performance and disciplinary processes; restructuring, redundancy and outsourcing programmes; industrial relations and collective bargaining matters; whistleblowing and protected disclosures; and employee data privacy issues. June has been involved in litigation at all levels of the New Zealand court system, both in relation to substantive disputes and urgent interlocutory matters. June has significant experience in acting for both private and listed companies in the financial services, pharmaceutical and healthcare, and food and beverage sectors.

June recently returned to New Zealand, having practiced at a magic circle firm in London for several years, and at another top tier New Zealand law firm prior to that. During her time in London, June regularly advised leading private equity houses and FTSE100 companies on employment law and regulatory issues.

June Hardacre

Senior Associate


P: +64 9 353 9723
M: +64 21 105 9616

Related Articles