After much anticipation, the Privacy Bill has passed its third and final reading and is set to be signed into law, with a commencement date for most provisions of 1 December 2020.
We’ve published numerous articles on the Bill’s journey and the general outlook for privacy law in New Zealand, including information about what businesses will need to know to prepare for the new Act coming into force. You can read those articles here, here, and here.
Now that the new Act is set to come into force, it’s time for businesses to get prepared for its commencement, including as set out below:
- Create a data breach plan: From 1 December 2020, your business will be expected to comply with the notifiable privacy breach regime. That regime will apply to a broad range of ‘breaches’, from information on physical files and accidental breaches, to an inability to access information. But while breaches can be difficult to predict, your response shouldn’t be. Now is the time to create a plan about how your business will assess, contain, and respond to breaches in a way that complies with the new Act. Chances are doing so will also bring to light some vulnerabilities in the way that your business handles personal information.
- Check your cloud service provider agreements: The new Act explicitly clarifies that businesses that use cloud service providers to host personal information – including providers based offshore – will remain responsible for that personal information. As such, businesses should make sure that their service providers don’t inadvertently cause them to breach the new Act. A good place to start is to review the agreements your business has in place with such providers, to identify any gaps, and to implement robust diligence procedures to vet the technical and organisational measures any service provider has in place to protect the personal information which you entrust to them.
- Sending information offshore?: If your business discloses information offshore for other businesses to use for their own purposes, from 1 December 2020 you’ll need to have a legal basis for doing so, even if the entity you are disclosing the information to is part of the same ‘group’ as your business. There are a number of grounds that you might be able to rely on, including grounds that are due to be clarified further by regulations. Now is the time to establish whether your business will need a legal basis for making a disclosure offshore, and you what might need to change.
- Doing business in NZ: If your business is based overseas, but you deal with individuals in New Zealand, from 1 December 2020, you might be caught by the new Act – even if you don’t have a physical presence here. Now is the time to check whether you might be required to comply, and what that looks like practically for your business.
- Time for a refresh?: While the new Act doesn’t introduce changes to what needs to be included in a privacy statement, now is an opportune time to review your existing practices. For many, it will have been some time since you checked that your statements align with the reality of the way your business collects, uses, stores, and discloses information. And with the Privacy Commissioner’s increased investigatory and enforcement powers introduced by the new Act, it makes sense to make sure your privacy policies are up to date, transparent, and accurate, and your staff have all had appropriate training.