Under the Privacy Act 2020, all New Zealand businesses who collect, store or use personal information about their employees and/or customers will be required to comply with new legal obligations.

Businesses will; be required to report serious data breaches to both the people affected and the Office of the Privacy Commissioner; are prohibited from destroying any personal information held by their business to avoid providing it if someone requests it; and, need to ensure their service providers meet new privacy laws if they are based overseas (e.g. Cloud Software).

Information and Data Security Expert Michelle van Straalen, Director of The Information Privacy Company, says most New Zealand businesses are unaware of their obligations and will be in breach of the new law.

“It’s fair to say, most clients we’re speaking to are unaware about their obligations and the relevance of this law to their business and systems,” says Michelle.

“Whether it’s customer details or staff files, most businesses keep private information on file, so they need to ensure they understand and comply with the new rules. The more sensitive the information, the more measures they’ll need to take to protect it.”

Van Straalen stresses that businesses need to review their systems and work through data and information scenarios to ensure processes are in place, and policies are watertight and compliant.

“How they safeguard personal information depends on the sorts of information they collect.  This includes talking to staff, updating policy and processes, disposing of personal information when they have finished with it, and appointing an information privacy officer,” she says.

“Plus, if they use an overseas-based service provider, like cloud software, they should be asking the provider how they’re meeting New Zealand’s privacy laws.”

“Breaches and careless handling of private information can cost businesses heavily, so we’re encouraging them to take it seriously, be proactive and prepare now to avoid penalty.