25th November, 2020
Changes to privacy law come into effect soon with the introduction of the new Privacy Act – here’s how they will affect your business.
When New Zealand’s Privacy Act was written in 1993, the internet was just emerging.
Back then, it was unusual for a business to have a website, and few could have imagined that three decades later we’d be doing almost everything online – including grocery shopping, job applications, banking, dating and booking rides home. Now that’s a reality, our privacy laws are changing to reflect this massive shift.
On 1 December, 2020, New Zealand’s new Privacy Act comes into force. The new legislation offers greater protection for individuals, puts more responsibility on businesses, and covers overseas businesses working in NZ and NZ businesses using overseas services. It’s designed for the internet age, to protect private information and minimise data breaches.
The rules will apply to all businesses that collect, keep and store customer data, whether it’s a vast database of personal and financial details or a single spreadsheet of client email addresses. The Privacy Commissioner will have the power to fine businesses that breach the rules.
That’s why it’s essential to do some research and preparation now – even if you think your business is handling privacy well.
There are a few significant changes in the 2020 Act that could have an impact.
The law changes in a couple of weeks, but it’s not too late to prepare your business. Here’s how to get started:
Look at what type of data you collect about your customers and/or employees, what it’s used for, how far it dates back and who is responsible for collection and storage. This information will help you build up a picture of your data collection.
The next, crucial step is to identify where your data is stored. For some, this will be easy – if you use ERP software, you should be able to pull up customer information in seconds.
In other organisations, finding data could be complicated. You may have email addresses stored in spreadsheets, customer details in an online database, some records in the cloud and others on your server. If your data is scattered, it might be time to merge it into a single, unified system.
Wherever your data is stored, it needs to be secure with two-factor authentication in place.
Because the new Act requires that overseas providers meet privacy standards, it’s your responsibility to check that your cloud services are secure.
Ask your provider for current security audit reports, or get a third-party auditor to check their systems. If they can’t demonstrate high-level security standards, it could be time to look for a new provider.
Controlling access isn’t just about preventing breaches from outside the company – malicious or accidental breaches from inside are actually more common. Look hard at who can access customer or employee data in your business – and why. Limit access to those who need it in their day-to-day work.
It’s also smart to choose a ‘Privacy Officer’ if you don’t have one already. This person should have a good understanding of the new Act and will be responsible for dealing with any privacy issues that arise.
Although you don’t ever want to deal with a data breach, they are extremely common. They’re not just classic cyber-attacks but inadvertent breaches caused by human error – think: sending an email to all your customers containing sensitive personal information.
If you have a plan in place, you’ll be able to respond quickly, minimise the damage and notify the affected parties.
Before you create a breach plan, you need to know when a breach occurs. Make sure your systems are set up for regular audits and monitoring, so you can spring into action if needed.
If you’re not feeling confident in your security measures, get advice from your lawyer or a privacy expert, and talk to your software providers. These experts will have a better grasp of the legal and technological issues and should be able to help you meet your obligations.
If you want to get your head around the legislation before you seek advice, take a look at this free guide from the Privacy Commission.
If your current software seem inadequate for the new rules, it could be time to look at other solutions.
MYOB has a few options that can simplify access to customer details and boost security measures. An upgrade could be the easiest way to make sure your business is prepared for the new law.