The Privacy Act 2020 | What you need to know

With so many of our daily activities conducted online – from shopping to banking - user data is increasingly passed through systems and likely across countries. To protect customers’ personal data, New Zealand’s privacy law framework is being updated.

With effect 1 December 2020, the Privacy Act 2020 (the Act) will come into force, replacing the Privacy Act 1993. For organisations that handle and process data – now is the time to take stock of potential cyber and privacy risks, which have the potential to carry significant financial and reputational harm.

New privacy regulation

The key purpose of the Act is to promote people’s confidence that their personal information is secure and will be treated properly. The intention is to bring New Zealand in line with international privacy protection policies.
Below is a snapshot of some of the changes:

  • Introduction of mandatory reporting to the Privacy Commissioner and affected individuals if the breach causes or is likely to cause serious harm. Mandatory reporting extends to where an organisation has stored its data with a cloud service provider. If the cloud provider suffers a breach, the organisation must notify;

  • A failure to notify the Privacy Commissioner of a notifiable privacy breach is an offence with a fine up to $10,000;

  • Introduction of compliance orders (by Commissioner); failure to do so could result in a fine (maximum fine for this offence is $10,000);

  • The Commissioner has the power to demand the release of personal information if a business refuses to make it available on request;

  • Before businesses disclose New Zealanders’ personal information overseas they will need to ensure those parties have similar levels of privacy protection or obtain consent of the affected person(s);

  • New offences for false and misleading behaviour.

How businesses can prepare

Data comprehension: Understand what personal data you’re collecting and how you’re handling it. If your organisation collects personal data, it’s good practice to understand and document what data you are collecting and how you are handling that information: why are you collecting it, how are you using it, it is transferred, where and to whom is it being transferred, know the data’s life span and when the data will be deleted.

Data minimization: It’s generally a best practice to minimise the amount of personal data you collect - only collecting what is really needed for your business processes.

Transparency: Make sure your clients or customers know what personal data you’re collecting, how you’re using it and how you’re securing it.

Request readiness: Prepare to respond to data subjects’ rights requests. Organisations that are open and honest with individuals making those requests might not always make them happy, but they’ll reduce the risk of regulatory complaints.

The role of cyber insurance

If your organisation suffers a privacy breach from a cyber event, what is your action plan to resolve it in a timely manner and meet the requirements of the Privacy Act?
Cyber Risk insurance provides the forensic, legal expertise and management support to assist you notifying in accordance with the Act. This includes appropriate response to notify your clients and customers to meet the Act and ensure the trusted response your customers would expect.

However, notification of the incident is only one aspect of dealing with a data breach. Costs can include legal and litigation fees, the expense of regulatory investigations, reduced revenues as a result of business interruption, remediation, public relations and compensation - all which could potentially be covered by a robust cyber insurance policy.

For advice about the best approach to protect your business from a data breach, talk to Aon about Cyber Risk insurance today.

Finn Jolly
+64 9 362 9183 |

Michael Twyman
+64 9 362 9187 |

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.