Be Prepared for NZ Privacy Act 2020

Privacy has emerged as a strong focus area lately. Developments in the recent past have given rise to fresh challenges from a privacy perspective and made countries around the world enact privacy regulations with more stringent provisions

To address privacy-related issues, on December 1st, 2020, New Zealand’s Privacy Act 2020 will repeal and replace the country’s previous Privacy Act 1993. It will be applicable to all organizations which collect, store, and process the personal information of the residents of New Zealand.

But does it have an extra-territorial scope similar to EU-GDPR? Yes, it does.

Thus, overseas organizations are under its purview too.

As such, there are a lot of obligations your organization might have to comply with, along with your current security controls. The following are key things to consider as you prepare:

1. Breach Notification: An organization is legally required to notify affected individuals and the Privacy Commissioner if there is a privacy breach which causes serious harm, or is likely to cause serious harm, to affected individuals.

Not every breach requires disclosure. Hence, various assessing factors, such as the nature of harm, mitigating factors, and so on have been mentioned in the new Privacy Act to assist you in determining the right course of action.

The Office of the Privacy Commissioner (OPC) has launched a tool called NotifyUs to help organizations decide if a breach requires disclosure.

Note: Failure to disclose without a reasonable cause is an offense and can attract a fine of up to 10,000 NZD.

2. Compliance Orders: The new law has widened the powers of the Privacy Commissioner and provided him with a right to make an official complaint to the Human Rights Review Tribunal upon failure of an organization to remediate the breach for which the compliance notice has been served.

Organizations must remember that even if the fine amount isn’t very high, the reputational and goodwill damage can be irreparable.

3. Restrictions on Overseas Disclosure: Organizations in New Zealand will need to ensure that adequate standards are met at the time of transferring personal information overseas. To be more specific, the entity to which the personal information is being transferred should have similar levels of privacy protection as those in New Zealand.

4. New Criminal Offenses: The new Privacy Act has added a new criminal offense if a person or an organization attempts to mislead the Commissioner or any person exercising power under the new legislation. Examples of this offense include misleading statements, impersonation, and intentionally destroying data.

Steps business should take:

1. Make sure that you understand the categories of data you collect, why it is processed, which third parties hold it, and where.

2. Develop a robust data breach response plan by revisiting your existing internal processes and policies.

3. Appoint a Privacy Officer and evaluate the data you hold and transfer.

4. Do Privacy Governance and consider all the policies and procedures (internal and external) that may be impacted by the new legislation.

Privacy and security requirements are quite complex. To secure the data stored on your mobile devices, you can use SureMDM, a comprehensive unified endpoint management solution.