"Half a per cent of the 120,000 registered unemployed in January for example, is 600 people misidentified or ineligible, which might be a lot of disruption and grief for an already vulnerable group, depending on what you are going to do with that data."
In a separate speech to the Domain Name Commission earlier this month, Edwards tackled another thorny emerging GDPR issue: the effect of the new rules on the register of domain name holders.
Traditionally, it has been possible to search for, or "Look Up", domain name owners through a simple search.
Edwards said there is "an interpretation" of GDPR that it prohibits companies from publishing information that identifies at least some individual domain name holders.
WHOIS information about European-based registrants will be in breach of GDPR rules while existing ICANN agreements with registrars about WHOIS data will also be in breach.
Domain name companies say it's not clear whether ICANN wants them to apply the new rules to all domain registrants or just to those that live in Europe.
Registrant GoDaddy has already decided to redact email, names, and phone numbers from all of its published WHOIS records.
Edwards warned that if this approach catches on, it will be a blow to security researchers who depend on bulk access to WHOIS data, as well as to data analysis services, journalists and web archivists among others.
However, New Zealand domain registrars have a head start, Edwards said.
The Privacy Commissioner said his office had "strongly encouraged" the creation of a privacy option, consistent with the information privacy principles.
"We’ve also supported the Domain Name Commission by assisting in its guidance to users," Edwards said.
As part of monitoring the IRPO, the Domain Name Commission has said it will publish transparency reports about the access and disclosure of withheld information as well as developing Memorandums of Understanding where there is an ongoing and legitimate need for access to information that is not on the public register.
Last week, a result of that consultation emerged in the form of guidance on privacy and domain name data to "foster greater awareness of good privacy practices in the .nz domain name space".
Amongst all that, Edwards and his team even had time to launch a new Privacy Trust Mark to give New Zealanders assurance that a product or service has been designed with their privacy interests in mind.
Edwards said the Privacy Trust Mark demonstrates that a “privacy by design” approach was used and is intended to give consumers confidence in particular products or services.