New Zealand Privacy Laws Have Changed — Are You Ready?

On 1 December, new privacy legislation, the Privacy Act 2020, came into force in New Zealand. The act greatly increases the potential consequences for any organisation that breaches privacy — having customers’ personal data stolen by a hacker, for example.

What does this mean for businesses?

The act requires an organisation suffering a breach that causes or is likely to cause serious harm to any individuals to notify both the people affected and the Privacy Commissioner. It gives the Privacy Commissioner power to issue directions to an organisation in relation to the breach and imposes fines of up to $10,000 per breach on any organisation that thwarts a request for personal information or destroys that information after a request for it has been made.

The new act also seeks to close a loophole in the current legislation, the Privacy Act 199, which in 2018 allowed Google to ignore orders imposed under the act because it is a US-based company. This won’t cut it with the new act coming into effect.

Overseas Bodies Now Covered

All overseas agencies carrying out business in New Zealand will be subject to the new act, regardless of whether or not they have a legal or physical presence there. The act applies even if personal information is collected and held elsewhere or if the person to whom the personal information relates resides in another country.

However, June Hardacre, senior associate at law firm MinterEllisonRuddWatts, says the issue of how to lay down the law to overseas entities is still being grappled with.

“This provision will affect foreign businesses who have in the past claimed they are not subject to New Zealand law as they have no physical or legal presence here. However, the enforceability of this provision on overseas agencies without a presence in New Zealand is still unclear.”

The possibility of costly payouts to every person whose data has been accessed should encourage organisations to take every possible measure to prevent a data breach.

The Act empowers “aggrieved individuals” whose privacy has been compromised to commence proceedings in the Human Rights Review Tribunal as a class action. The Tribunal has the power to award up to $350,000 as compensatory damages for losses suffered to each member of such a class action.

Rapid Response Capability Essential

Every organisation that holds data on New Zealanders needs to implement robust security technologies, policies and procedures to ensure it does not breach customer privacy. It also needs to establish policies and procedures to act swiftly and appropriately in the event of a data breach.

Staff cybersecurity awareness training is essential both to prevent breaches and to enable a rapid and appropriate response if one does occur. The weakest link in the cybersecurity chain is nearly always the human. Human error is involved in more than 90% of all security breaches.

Security awareness training is one of the most effective ways to reduce your cybersecurity risk. Successful training will address serious topics in a seriously funny way to engage your employees and change behaviour. The approach should be to make the videos short and light-hearted so people will engage with them while covering a variety of human error-related security risks and cyber hygiene topics like passwords, phishing, unvetted downloads, vishing and ransomware.

The goal is to humanise security with content that effectively engages both security and non-security employees. Collectively, cybersecurity awareness training can significantly improve an organisation’s security culture, radically change employee behaviour and lower security risk.

Constant vigilance needed

None of the components of your data breach protection and response regime should be ‘set and forget.’ You should review security technologies regularly, rehearse your breach response procedures and constantly reinforce staff awareness training.

As Hardacre says: “Organisations will be well served by treating privacy protection as a cultural norm; to embed it in the design and fabric of how an organisation works.”

And, if your organisation is not well prepared and suffers a data breach, expect trouble. Hardacre expects the Privacy Commissioner to “make a few high-profile examples of non-compliers early in the new regime and to let that set a tone for compliance expectations going forward.”

The Bottom Line

Organisations need an approach that combines technology, awareness and vigilance to achieve the right security posture and be ready for the changes in privacy laws. As with any new law or process, regular training is needed to protect organisations and their teams, so start planning for training that will roll into 2021.