She said the data is as simple as a person's name, phone number, e-mail address, IP address, location data or photos.
"Even if your data management is looked after by a third party such as a CRM system or Mail Chimp, you are still liable for this."
How to comply
In extreme cases, failure to comply with the EU law could result in fines of up to $20 million, or 4 per cent of annual global business turnover, for Kiwi businesses.
Watkins said Northland businesses will first have to add or update a privacy policy on their website and place it in a visible location there.
"You might want to contact a lawyer for this or use tools you find on the internet to help you generate one. It will need to fully disclose what you are doing with website users' data."
Websites will also need an additional alert to inform website visitors and users that you are using cookies, which store the data.
She said many businesses will need to upgrade their security certificates to https also.
Watkins said the best way to get inline with the GDPR is to consider your entire website user experience, taking in contact forms, newsletter sign-up (MailChimp), e-commerce pages (check-out), accommodation websites (booking system), Google AdWords, Facebook, brochure/catalogue downloads, memberships and CRM Systems.
"We are still looking into compliance around third party site policies, such as Mailchimp.
"Your website host will take care of the technical side of things and upload new pages and add the cookie alerts."
She said adding cookie alerts would cost less than $100 but upgrading to https could cost between $200 and $300.
"It remains to be seen how the GDPR will be policed, and compliance will be monitored, but I suspect that non-compliant sites will be penalised in some way."
Good practice
Richard Anstice, commercial lawyer at Regent Law in Whangarei, said the GDPR is a big law with heaps of rules which Northland businesses which sell goods or services to people in the EU or monitors the online behaviour of people in the EU, will need to comply with.
"Hacks and other data breaches are on the rise. We all know about people being scammed, having accounts hacked. Good practice for data security and privacy are necessary to manage risks and to get insurance.
"Compliance with NZ privacy laws also matter. The EU considers New Zealand's privacy rules are 'adequate'… this enables sharing of information with NZ businesses."
Anstice said each EU member had a supervising authority which was broadly similar to the NZ Privacy Commissioner.
"But a central European Data Protection Board will co-ordinate these [laws]."
Non-compliance, he said, could result in fines or difficulties exporting to the EU.
Anstice said business owners needed to be proactive in assessing their need to comply.
"Now is the time to check compliance with NZ privacy law, and to assess whether a business is directly exposed to the GDPR.
"…assess your compliance with New Zealand privacy laws… give your business a privacy health check."
He said if you discover you are collecting data from the EU, get legal and IT advice around complying with the GDPR.
"Nobody likes extra compliance. But, if we are trading well internationally, GDPR compliance can be a good problem to have."
He said it was an opportunity to grow our brands by "being the best at looking after our customers' personal information".