Many Kiwi businesses could be caught out by far-reaching new privacy laws about to take effect in by Europe, a computer science expert fears.

In five days, the European Union's General Data Protection Regulation (GDPR) law comes into force aiming to protect its citizens privacy and prevent data breaches.

It has worldwide effect - meaning New Zealand companies processing personal data of people residing in the union must also comply or face fines of four per cent of annual turnover or 20 million euros.

The changes require consent for information to be given in an easily accessible form using clear and plain language, not legal jargon.


Companies also have to allow people to withdraw consent - and have just three days to notify of a data breach.

The law further requires businesses to have a representative in the EU.

AUT's head of computer science, Associate Professor Dave Parry, expected that most Kiwi businesses hadn't prepared for the sweeping changes.

"I expect that New Zealand's big companies have had their legal and IT experts working on this for some time," Parry said.

"But I suspect our small- and medium-sized businesses have either not known about it, or have turned a blind eye."

Parry said our biggest industries – including tourism, education and agriculture - were those most likely to feel the effects of the new laws.

"Our biggest industries are the ones which most often deal with those in the European Union.

"But we all think of the likes of Fonterra, not a small family bed and breakfast, or the high school that recruits international students - they aren't exempt.


"They are the ones that should be checking that their websites and the way they store data are compliant as soon as possible."

The EU's definition of data included anything that can be used to directly or indirectly identify a person.

It could be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

As it was an EU law, Kiwi businesses didn't necessarily have to pay the fines.

But if a number of New Zealand companies flouted the law, Parry believed, it was possible that the EU could try to shame us.

"There's alerts to discourage travellers going to countries with active wars, but what we could see is an advisory to EU residents saying if you go to New Zealand or deal with New Zealand companies you can't be sure of your privacy or how your data is stored.

"That could be extremely damaging for our tourism industry in particular."

Parry believed New Zealand data privacy laws weren't up to the same standard as the new EU legislation, but expected the Government would make amendments in time so they were in line.

A New Zealand Trade and Enterprise (NZTE) spokesperson said businesses had been informed of the May 25 change through workshops and direct contact, information published on its website and a social media campaign.