If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.
Ahead of its commencement on 1 December 2020, your business should be well equipped to respond to the changes to New Zealand’s Privacy Act 2020 (superseding Privacy Act 1993). The following extract from the New Zealand Privacy Commissioner covers the key updates and how your business should review its privacy practices to remain compliant.
How will the changes affect Australian businesses?
- Notifiable privacy breach scheme – if a business or organisation has a privacy breach, and believes it has caused or likely to cause serious harm, it will need to notify the Office of the Privacy Commissioner and the affected individuals as soon as possible
- Compliance notices – the Privacy Commissioner has the power to issue a compliance notice to businesses or organisations to action or stop something in order to comply with the Act.
- Enforceable access directions – the Privacy Commissioner has the power to direct agencies to provide individuals access to their stored personal information.
- Disclosing information overseas – the Privacy Act will regulate how you treat information overseas, whereby the receiving international agency will need to have similar safeguards as contained in the Privacy Act
- Extraterritorial jurisprudence – the new Privacy Act will have extraterritorial effect over businesses or organisations carrying on business in New Zealand, even without having physical presence
- Criminal offence provision – under the new Privacy Act, it will be an offence for an organisation or a business to destroy personal information following a request to access
This privacy breach factsheet will be a good summary and starting point to assist your business take actions if a breach has occurred.
Additionally, the New Zealand Privacy Commissioner has an e-learning feature for actionable steps for privacy compliance.
Failure to comply or adhere to mandatory reporting following a harmful breach will amount to a criminal offence, imposing a fine of up to $10,000 for each individual affected.