Preparing your business for the new Privacy Act

Changes to privacy law come into effect soon with the introduction of the new Privacy Act – here’s how they will affect your business.

When New Zealand’s Privacy Act was written in 1993, the internet was just emerging.

Back then, it was unusual for a business to have a website, and few could have imagined that three decades later we’d be doing almost everything online – including grocery shopping, job applications, banking, dating and booking rides home. Now that’s a reality, our privacy laws are changing to reflect this massive shift.

On 1 December, 2020, New Zealand’s new Privacy Act comes into force. The new legislation offers greater protection for individuals, puts more responsibility on businesses, and covers overseas businesses working in NZ and NZ businesses using overseas services. It’s designed for the internet age, to protect private information and minimise data breaches.

A rough guide to the new Privacy Act rules

The rules will apply to all businesses that collect, keep and store customer data, whether it’s a vast database of personal and financial details or a single spreadsheet of client email addresses. The Privacy Commissioner will have the power to fine businesses that breach the rules.

That’s why it’s essential to do some research and preparation now – even if you think your business is handling privacy well.

There are a few significant changes in the 2020 Act that could have an impact.

• Transparency: businesses will be required to report serious privacy breaches – leaks, lost data or malicious attacks – to the Privacy Commissioner and the people affected.
• Access to personal data: if people request their personal information from a business or organisation, it must be supplied. The Act specifically states that a business could be fined if it destroys the information to avoid providing it.
• Overseas security: New Zealand-based businesses need to ensure that any overseas services they use – including cloud storage or eCommerce hosting – meet the security standards of the new legislation.
• Overseas businesses: companies that do business in New Zealand, whether they have an office here or not, will also need to follow the rules.
• Data minimisation: this principle is about keeping the data you need only for as long as you need it. In financial services, for example, you’re required to hold data for seven years. After that, it should be securely deleted.
• Compliance: the Act gives the Privacy Commissioner new power to issue compliance notices and fine businesses for breaching privacy rules. The maximum fine has been raised from $2000 to $10,000.

What does the new Act mean for your business?

The law changes in a couple of weeks, but it’s not too late to prepare your business. Here’s how to get started:

1. Review customer data

Look at what type of data you collect about your customers and/or employees, what it’s used for, how far it dates back and who is responsible for collection and storage. This information will help you build up a picture of your data collection.

2. Look at your storage solutions

The next, crucial step is to identify where your data is stored. For some, this will be easy – if you use ERP software, you should be able to pull up customer information in seconds.

In other organisations, finding data could be complicated. You may have email addresses stored in spreadsheets, customer details in an online database, some records in the cloud and others on your server. If your data is scattered, it might be time to merge it into a single, unified system.

Wherever your data is stored, it needs to be secure with two-factor authentication in place.

3. Check your cloud services

Because the new Act requires that overseas providers meet privacy standards, it’s your responsibility to check that your cloud services are secure.

Ask your provider for current security audit reports, or get a third-party auditor to check their systems. If they can’t demonstrate high-level security standards, it could be time to look for a new provider.

3. Identify authorised staff members

Controlling access isn’t just about preventing breaches from outside the company – malicious or accidental breaches from inside are actually more common. Look hard at who can access customer or employee data in your business – and why. Limit access to those who need it in their day-to-day work.

It’s also smart to choose a ‘Privacy Officer’ if you don’t have one already. This person should have a good understanding of the new Act and will be responsible for dealing with any privacy issues that arise.

4. Create a plan for breaches

Although you don’t ever want to deal with a data breach, they are extremely common. They’re not just classic cyber-attacks but inadvertent breaches caused by human error – think: sending an email to all your customers containing sensitive personal information.

If you have a plan in place, you’ll be able to respond quickly, minimise the damage and notify the affected parties.

Before you create a breach plan, you need to know when a breach occurs. Make sure your systems are set up for regular audits and monitoring, so you can spring into action if needed.

5. Get expert advice

If you’re not feeling confident in your security measures, get advice from your lawyer or a privacy expert, and talk to your software providers. These experts will have a better grasp of the legal and technological issues and should be able to help you meet your obligations.

If you want to get your head around the legislation before you seek advice, take a look at this free guide from the Privacy Commission.

Changing laws, changing your business

If your current software seem inadequate for the new rules, it could be time to look at other solutions.

MYOB has a few options that can simplify access to customer details and boost security measures. An upgrade could be the easiest way to make sure your business is prepared for the new law.