Changes to the Privacy Act - What does it mean for you?

Untitled design

The new ‘modernised’ Privacy Act has been passed and will take effect from the 1st of December 2020. So what does this mean for you?

We’ve done the hard work for you and put together a summary of key changes.

What’s changed? Not a lot - most of the changes relate to how the law is enforced and ensuring early intervention in the event of a breach.

Key changes include:

  • Reporting data leaks – organisations must now report data breaches (leaks) to both the Privacy Commissioner and the individuals affected if the leak is potentially ‘harmful’. What defines harmful? That’s quite subjective - but consider how sensitive the data is, who has access to it and whether someone could be aggrieved or offended if the data was shared.

  • Overseas compliance – any data transferred or stored overseas will need to conform to New Zealand laws and the law applies to any organisation conducting business in New Zealand, regardless of where they’re based. However, this does not apply to offshore data processors (i.e. cloud storage providers such as Microsoft Azure or AWS) – most of which have offshore data centres

  • Harsher penalties – the Commissioner can order businesses to comply with the Act and failure to do so can result in a fine. It’s also now an offence to destroy or tamper with personal information when it has been requested by an individual and the Privacy Commissioner can demand the release of data on the request of an individual. Non-compliance with the Commissioners requests can result in fines of up to $10,000


How does all this compare to international law?

We’re still a long way behind the much stricter GDPR (EU) and CCPA (California) global data protection laws. The main differences relate to the rights of individuals – New Zealand has not implemented policies such as ‘the right to be forgotten’ or ‘data portability’ (the right to request a copy of your own data) – and New Zealand organisations won’t (yet) be subject to the big fines seen overseas for non-compliance.

However, this is just the beginning. We expect to see more changes to the Act in years to come. New Zealand businesses should be looking to international law as an example of the ‘gold standard’ for data privacy best practice and ensuring internal policies and processes are in line with not only New Zealand law, but also international, to ensure they’re set up for compliance in the future.

Click here to read the latest Privacy Act legislation.

At Data Insight, we take data privacy very seriously. Get in touch with us to learn more about how we can work with you.