New Zealand Privacy Act 2020 vs GDPR: How Do They Compare?

Table of Contents

Understanding the variety of data protection laws is crucial for businesses in today’s interconnected world. The comparison of the New Zealand Privacy Act 2020 vs GDPR offers a unique perspective on how different regions approach personal information and data privacy.

This article aims to dissect and compare these two significant pieces of legislation. We will examine the main characteristics, distinctions, and resemblances.

So let’s get started!

Key Takeaways

The New Zealand Privacy Act 2020 and GDPR both safeguard personal data but differ in application and scope. Businesses engaging with European or New Zealand data must understand these differences.

Both the New Zealand Privacy Act 2020 and GDPR emphasize the need for clear consent and transparency in data usage, underlining their importance in fostering consumer trust.

Captain Compliance offers expert solutions to help businesses navigate and comply with both the New Zealand Privacy Act 2020 and GDPR, ensuring consumers’ trust and adherence to global privacy standards.

What is the New Zealand Privacy Act 2020?

What is the New Zealand Privacy Act 2020.jpg

What is the New Zealand Privacy Act 2020.jpg

The New Zealand Privacy Act 2020 started in December 2020, updating the older privacy laws to fit today’s digital world. It was intended to keep personal information private and secure. There’s a government office called the Privacy Commissioner responsible for enforcement.

They receive complaints from people, advise businesses on dealing with customer data per the regulations, and promote awareness so consumers know their rights.

The main goal of the New Zealand Privacy Act 2020 is to protect people’s personal information. It has some important rules, like:

Privacy Breach Notifications: If a business has a significant privacy problem, like a data leak, it must tell the Privacy Commissioner and the people affected. This helps keep everyone informed and safe.

Rules for Overseas Data: The act also has rules for sending personal information outside New Zealand. Businesses can only share data with countries that have strong privacy protections.

Obtaining Consent: All businesses must obtain consent when processing personal information. This lets individuals know who has their information and how it will be used. They must also provide clear options for revoking this consent at any time.

The New Zealand Privacy Act of 2020 is the main law dealing with how businesses in New Zealand collect, use, share, and store personal details about people.

It applies to all businesses working in New Zealand, even ones based overseas, so if your business gets information about New Zealand citizens and keeps it on file or in a database, you have to follow the Privacy Act requirements.

The goal is to make sure that no matter where in the world a business is located, the private information of New Zealanders stays safe and isn’t misused.

What is GDPR?

What is the GDPR.jpg

What is the GDPR.jpg

The General Data Protection Regulation, or GDPR for short, went into place on May 25, 2018. Even though it was made by the European Union, this important new rule impacts businesses that handle EU resident’s personal information globally. This is the world’s largest and most relevant data privacy law to follow.

The GDPR, with its comprehensive GDPR principles, is enforced by data protection authorities in each of the EU states.

They make sure businesses stick to the guidelines and can slap some hefty fines on them if they don’t – the businesses can be fined up to €20 million or 4% of the business’s profits. This shows how serious the EU is about protecting personal data.

A key goal of the GDPR is to enhance data subject rights, give individuals more control over their personal information, and ensure businesses handle it carefully. It has several key rules, like:

Consent: Businesses need clear permission from people to use their data. This means people should know exactly what they’re agreeing to.

Data Rights: People have the right to see their data, change it if it’s wrong, and ask businesses to delete it.

Data Protection: Businesses must protect personal data from being lost, stolen, or shared without permission.

The GDPR applies to any business that handles personal data from people in the EU. This means it’s for more than just EU businesses. If a business outside the EU has consumers in the EU, it has to follow the GDPR, too. This makes the GDPR one of the world’s most far-reaching data protection laws.

Differences Between New Zealand Privacy Act 2020 vs GDPR

Differences Between New Zealand Privacy Act 2020 vs GDPR.png

Differences Between New Zealand Privacy Act 2020 vs GDPR.png

The New Zealand Privacy Act 2020 and the General Data Protection Regulation (GDPR) are both hyper-relevant laws for any global business, but they have distinct differences in their approach and application. Understanding these differences is crucial for businesses operating across these jurisdictions:

Scope of Application

The New Zealand Privacy Act 2020 protects New Zealander data and applies to businesses, both domestic and foreign, that process New Zealander data.

New Zealand is a smaller country with roughly 6 million people as of 2024. However, it is still hyper-relevant to any global business.

The GDPR’s scope is wider – it covers any business that handles the personal information of consumers in the EU, no matter where that group is located. So, basically a business outside the EU sells stuff to people living there or keeps tabs on what they’re doing online – that business must follow the GDPR rules.

Definition of Personal Information/Data

Under the New Zealand Privacy Act, personal information is defined as information about an identifiable individual. This includes many data types but does not explicitly distinguish between anonymized or de-identified data.

The GDPR, however, provides a more detailed definition, categorizing data into personal data and pseudonymized data, with specific provisions for each. Anonymization under the GDPR must be irreversible to render the regulation inapplicable.

The New Zealand Privacy Act does not mandate consent as a basis for collecting or using personal information, not even for sensitive data. The default basis for processing personal information is its necessity for the business’s function.

The EU is stricter – its GDPR law forces explicit consent for processing personal data. So people have to freely give the green light, knowing exactly what they’re agreeing to without any gray areas or wiggle room.

Individual Rights

Under the New Zealand Privacy Act, the focus is on two key rights: the right to access and the right to correction. Individuals can request access to their personal information held by the business and can ask for corrections if they find inaccuracies.

This ensures transparency and accuracy in data handling but doesn’t extend to broader rights.

The GDPR, however, offers a broader range of rights, including the right to erasure (the “right to be forgotten”), the right to data portability, and the right to object to processing, providing individuals with greater control over their data.

Breach Notification Timeline

Both laws require notification in the event of a data breach, but the criteria differ. The New Zealand Privacy Act says businesses need to tell people if there’s a good chance a data breach could seriously hurt someone – like if private information got out or something.

They must think about how bad it could be and how sensitive the information is. If it’s bad, they have to tell the Privacy Commissioner and the consumers whose data got breached, but there’s no hard deadline.

Europe’s GDPR rules are stricter. They say that if a data breach could likely risk things like identity theft or losing money – the company has to report it to the authorities within 72 hours. And if it’s really bad, they also have to tell the affected users as soon as reasonably possible. So, it forces faster notification all around so they can try to contain the damage before it spreads.

Penalties and Sanctions

The New Zealand Privacy Act allows for fines of up to NZD 10,000 (around 6,115 USD) for non-compliance.

In contrast, the GDPR has much steeper penalties, with fines up to EUR 20 million (around 21.5 million USD) or 4% of the total worldwide annual turnover, whichever is higher. This difference underscores the GDPR’s more stringent approach to compliance and enforcement.

Anonymization and Secondary Use of Data

The privacy laws in New Zealand say it’s okay to use someone’s personal details for other reasons besides what you first got them for. You can also share the information with another organization as long as the person can’t be identified.

The GDPR, however, has clear distinctions between pseudonymized and anonymized information, with specific guidelines on how anonymization should be achieved to exempt the data from GDPR’s applicability.

Similarities Between New Zealand Privacy Act 2020 vs GDPR

Despite their distinct approaches, the New Zealand Privacy Act 2020 and the GDPR share several fundamental similarities. These commonalities reflect a growing global consensus on the importance of data privacy and protection.

Emphasis on Individual Rights

The New Zealand Privacy Act 2020 and GDPR both make individual rights about personal information a big priority. They say people should be able to see what personal data businesses have stored on them, and consumers also get to fix any mistakes or old information to ensure that their information is accurate and up-to-date.

This shared focus on individual rights highlights a commitment to empowering individuals with control over their personal information, recognizing the importance of transparency in data handling.

Requirements for Data Processing

The New Zealand Privacy Act from 2020 and Europe’s GDPR have some really strict rules around collecting and using people’s details. Companies need to be clear about why they want consumers’ personal information and how they’ll use it.

Businesses are required to inform individuals about how their data will be used, ensuring that data processing is not done in secrecy. This can be done through a transparent privacy policy.

This approach reflects a shared belief in the importance of ethical data practices, where respect for individual privacy is a fundamental consideration.

Data Security Obligations

The New Zealand Privacy Act and the GDPR both impose obligations on businesses to protect personal data from unauthorized access, loss, or damage. This involves implementing appropriate technical and organizational measures to ensure data security.

The requirement for robust data security measures underlines the recognition of the risks posed by data breaches and cyber threats. Both laws also emphasize the need for ongoing vigilance and adaptation in the face of evolving security challenges.

Businesses are expected to regularly review and update their security practices, ensuring that personal data is protected against emerging threats. This shared focus on data security underscores the importance of proactive and dynamic approaches to protecting personal information.

Breach Notification

Under both the New Zealand Privacy Act 2020 and the GDPR, businesses are required to notify the relevant authorities in the event of a data breach. This notification must occur promptly, ensuring that regulatory bodies are aware of any potential risks to personal data.

In cases where the breach poses a significant risk to individuals, businesses must also notify the affected individuals, allowing them to take protective measures. The breach notification requirements in both laws highlight the importance of transparency and accountability in handling data breaches.

By mandating prompt notification, both laws aim to minimize the potential harm from data breaches and reinforce the responsibility of businesses to safeguard personal data.

Cross-Border Data Transfer Restrictions

The New Zealand Privacy Act of 2020 and the GDPR have rules about sending personal information across borders. They want to ensure people’s data is still protected when sent to other places.

So, if you’re going to pass data to another country, you must check out what their privacy laws are like there and make sure it’s okay. Setting up extra protections like contracts the recipient signs may be necessary if the country does not have adequate data protection laws.

Both have worries about what might happen to people’s private stuff when it starts getting tossed around the world.

Role of Regulatory Authorities

The New Zealand Privacy Act 2020 and the GDPR thingy in Europe both set up groups to police the protection of people’s data. New Zealand has a Privacy Commissioner who makes sure businesses follow the law, deal with complaints from peeps, look into problems, and penalize places that step out of line.

Data protection authorities in the EU try to guarantee GDPR compliance. They can investigate complaints, enforce fines on offenders, and offer guidance. There’s oversight on both sides to keep data collectors respectful of consumers’ privacy, and the groups have teeth to enforce the rules. Businesses need to honor the laws or risk getting bit.


After exploring the New Zealand Privacy Act compares to the GDPR, you might be considering the next steps for your business’s data protection strategy. Complying with these regulations may feel overwhelming, but it’s essential. It’s a crucial measure to protect consumers’ trust and business reputation.

That’s where Captain Compliance, offering specialized compliance services, comes in. Our team provides corporate compliance and outsourced compliance solutions, guiding you through the complexities of the New Zealand Privacy Act 2020. We can also guide you through the complexities of the GDPR.

Our comprehensive compliance training ensures your business adheres to both the New Zealand Privacy Act 2020 and GDPR. Our guidance also makes your business a leader in data protection. Get in touch with us, and let’s work together to turn compliance into a competitive advantage for your business.


How Do Businesses Implement the New Zealand Privacy Act 2020 and GDPR?

Both laws require businesses to adopt strict data protection protocols, ensure transparency in data usage, and handle breaches effectively. Implementing these laws involves understanding their distinct requirements and adapting business practices accordingly.

Check out our resources here for a step-by-step guide on implementing these privacy laws.

What Are the Essential GDPR Compliance Requirements for Businesses?

Understanding the GDPR compliance requirements is crucial for any business handling EU citizens’ data. This includes obtaining clear consent, ensuring data security, proper data processing, and prompt breach notification.

For a comprehensive breakdown of these requirements and how to effectively meet them, check out our detailed article, which provides in-depth guidance and practical tips.

Consent is a key aspect of both laws. Under the GDPR, explicit consent is crucial, especially for sensitive data, while the New Zealand Privacy Act 2020 has a more flexible approach. Businesses must clearly understand the consent requirements to ensure compliance.

Want to learn more about how GDPR compares to other laws in the world? Check out our guide here.

What Are the Consequences of Non-Compliance with the New Zealand Privacy Act 2020 and GDPR?

Non-compliance can lead to significant penalties. Under GDPR, fines can go up to €20 million (around 21,5 million USD) or 4% of annual global turnover, whereas the New Zealand Privacy Act 2020 can impose fines up to NZD 10,000 (around 6,115 USD).

Concerned about compliance? Get advice to avoid penalties from us.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.