New Zealand’s new Privacy Act 2020 comes into effect on 1 December 2020. It has the potential to catch many organisations off guard.
The new Act requires organisations to notify the Privacy Commissioner and any affected individuals as soon as possible after becoming aware of a notifiable privacy breach, for example, some form of cyber-attack, or inadvertent loss of personal information. In many regards, this brings New Zealand into line with Europeans countries under the General Data Protection Regulation (GDPR). Australia has similar legislation.
The new requirements mean organisations need to understand the benefits of communication and being ahead of the legal requirements. Meeting compliance measures may not be enough.
Recognising, and planning for, reputational risk needs to be part of your organisation’s DNA.
Crisis management ‘101’ says communicating an issue on your terms is always better than having to respond to questions about it when it is in the public arena. You can rarely set the agenda when you are on the back foot.
Our 2020 Reputation Reality report highlighted that directors and senior managers believed that data / privacy / cyber issues was one of the top two reputational risks facing organisations in Australasia.
There have been many high profile incidents involving data breaches, mis-use of personal information and malicious cyber-related attacks in the past year. The associated media coverage and social commentary has dominated the public narrative, and the organisations involved have had to work hard to manage the incidents.
In many of these instances, open and proactive communications wasn’t the description used when people noted the incident and organisation’s response. While Continuous Disclosure Rules govern the compliance requirements of listed companies, it is a different story for non-listed entities. The problem, of course, is the time it can take to confirm what may have happened, and how much information is deemed necessary to be made public.
The new Act’s provisions also include a new information privacy principle that focusses on the disclosure of personal information outside of New Zealand. The aim is to ensure personal information being sent offshore will be subject to comparable privacy safeguards as those that apply in New Zealand. The new Act also increases the Privacy Commissioner’s powers to publish compliance notices for privacy breaches.
All of which means preparation, internal training and supplier compliance is essential.