https://www.privacy.org.nz/news-and-publications/guidance-resources/comparing-the-privacy-acts-1993-and-2020/

If you’ve been following the Privacy Commissioner’s announcements, you may know the Privacy Act 2020 has finally made its way through Parliament and will come into effect 1 December.

However, with the myriad of business challenges that come with Covid-19 there’s a good chance you may not have paid much attention to what the new act will mean for your business.

In a nutshell, the act modernises our current privacy laws last set in 1993, back when the World Wide Web was still in its infancy. Clearly, we’ve come a long way since then and an update was well overdue. Business has become digital and so too has our data.

One of the most significant law changes is the introduction of mandatory breach reporting. Businesses will need to report serious privacy breaches where there is a risk of harm, such as leaked personal information published online or identity theft, to the privacy commissioner as well as notify impacted individuals.

The other thing to note is that the Privacy Act 2020 enforces penalties of up to $10,000 for certain privacy breaches. Individuals affected by the breach may also appeal to the Human Rights Review Tribunal which can award up to $350,000 per person affected.

While the December changes may seem months away, businesses responding to the changes may require significant system and process updates to ensure compliance. So, don’t leave it too late.

To help you start planning here are five questions to ask your wider business when reassessing your privacy processes.

Are we aware of all the information we store on customers?

A good place to start when reviewing privacy is to figure out what customer and employee information your business collects. Who is responsible for collecting this – marketing, HR or sales? This will help you build up a picture of what role personal data plays in your business.

An easy way to look at this is by ensuring your business doesn’t collect unnecessary personal information. If a date of birth, address or mobile number isn’t vital, don’t ask for it. This will help reduce the risk if company information is breached or leaked.

Where do we store this information, is it in one system or several?

Most businesses have data stored all over the place and won’t even know it. Your HR team might be saving information to the on-premise server, but your business intelligence team may have pulled this data out and stored it in a separate system in the cloud.

It’s important to get a grasp on where data is stored so you can ensure it’s been properly secured with passwords and two-factor authentication (2FA), as well as regularly deleted when no longer needed.

Remember, if you’re relying on a cloud service provider or third party to secure your data, you should take steps to ensure they are following the right security protocols. Ask for evidence of regular penetration testing or security audit reports or ask a third party to provide an independent security check if you’re still not confident.

Who has access to the data?

One of the biggest business mistakes you can make is failing to control who has access to sensitive and personal data. For example, if you are storing employee data on the company server, it’s best to make sure that only those authorised to see that data can access the folders.

The same goes for the cloud. Anything stored in the cloud or a cloud-based system needs to have proper security controls applied. People falsely assume the cloud offers an extra layer of protection, but this simply isn’t the case. It’s up to you to lock down cloud data with passwords or other authentication controls. Regularly check who has access to cloud data and revoke access to those who no longer need it or have left the company.

Who in our organisation is responsible for privacy, and are they equipped to manage this?

There may not be one person responsible for privacy in your organisation and duties tend to pass around different departments, especially in smaller enterprises.

It’s important to make sure there is a go-to person for managing privacy. Having a central point in the organisation who is trained up on new laws, develops policies and processes, and shares relevant information with people in the organisation responsible is key to improving data security.

A privacy framework or programme is a great tool that your privacy lead can leverage to help the rest of your business identify personal information, monitor it and follow guidelines for use.

Does our organisation have a way of knowing if/when it gets breached, and can we respond?

Unfortunately, data breaches do happen, and they’re probably more common than you think. Data breaches can be caused by cyber-attacks, where a hacker steals sensitive information, but it’s not always that sensational. Many data breaches are caused by internal human error, whether accidental or intentional.

The main thing to understand is that you can’t respond effectively to a breach if you don’t know it happened. That’s why it’s important to monitor your network, perform regular checks and audits of your data and how it’s used, and set up processes to report any data loss or breaches.

The best way to prepare for an actual breach is to create a crisis response plan and practice it under simulation conditions. Remember to factor communications into your plans too. Should the worse happen, you must be prepared to notify affected individuals, as well as the Privacy Commissioner, in the event of a serious breach.