For New Zealand businesses, the incoming Privacy Act 2020 and the GDPR framework will require you to recognise the value of all customer data you are collecting and storing, and be more aware of the growing legal thresholds you need to meet.
It's been 27 years since the original NZ Privacy Law was enacted and much has changed in the global business landscape since then.
From December 1, 2020, organisations will need to build trust and comply with the law by applying these five measures:
1) Being aware of the Privacy Act regulations
2) Using data experts to design effective governance frameworks that ensure data security and protection
3) Emphasising transparency
4) Empowering customers
5) Promoting “privacy by design” approaches that allow customers to match their data-sharing preferences with their privacy level preferences.
Two of the most significant changes in the new Act are as follows:
1) If a business or organisation has a privacy breach that has caused serious harm to someone (or is likely to do so), it will need to notify the Office of the Privacy Commissioner as soon as possible. It is an offence to fail to notify the Privacy Commissioner of a notifiable privacy breach.
If a notifiable privacy breach occurs, the business or organisation should also notify affected people. This should happen as soon as possible after becoming aware of the breach.
2) It will now be a criminal offence to:
-- mislead a business or organisation by impersonating someone, or pretending to act with that person’s authority, to gain access to their personal information or to have it altered or destroyed.
-- destroy a document containing personal information, knowing that a request has been made for that information.
The penalty in all cases is a fine up to $10,000.
For more information about the changes the new Act includes, the Office of the Privacy Commissioner has a significant collection of resources, including an e-learning section to ensure all businesses are up to speed with requirements.
In a technologically driven business environment, the collection and analysis of consumer data is now integral to many industries - and that means all business operators will need to lift their game.
Many will have done this already when the GDPR regulations rolled out, particularly companies who trade or sell with international customers, or who have visitors from around the world using their websites, signing up to email newsletters or handing over their details in any kind of digital format.