The New Privacy Act is set to transform how businesses treat personal data

The  Privacy Act 2020, which repealed and replaced the Privacy Act 1993 came into effect on 1 December 2020. This new law has updated New Zealand’s approach to data security more than two decades after the first Privacy Commissioner’s report “Necessary and Desirable” first drew attention to the need for reform in 1998. Specifically, the Privacy Act 2020 focuses on protecting the personal data of individuals and providing them with the security they need to function in an increasingly data-driven world.

This, of course, presents a challenge to businesses who collect and store personal data. Nearly all businesses collect some personal data from customers, such as names, addresses and contact information. With these new regulations now in effect, it’s important for businesses to understand that their obligations have changed under the law. Because the old Privacy Act 1993 was so outdated, pre-dating the rise of big data and the digitalisation of our lives in general, it didn’t address many of the vulnerabilities faced by private individuals today. As a result, many businesses weren’t required to protect private customer or employee data from modern cyberthreats.

At Trustees Executors, we have spent the past several months reviewing our processes to ensure our compliance with the Privacy Act 2020. Many businesses, however, will be needing to address data security for the first time in order to protect themselves both from the consequences of non-compliance and the potential costs of a data breach.

Cybersecurity is a growing problem for Kiwi businesses and consumers

The incidence and scope of cybercrime has grown steadily for decades, with scammers successfully targeting everyone from massive multinational corporations to small businesses . This has made consumers increasingly wary of sharing or using their personal data online. This, in turn, is bad for businesses who often can’t operate without it. Now, since the start of the global COVID-19 crisis, the FMA has reported a major increase in investment scams impersonating New Zealand businesses.

Investment scams are on the rise

One in five Kiwis have been targeted in investment scams, often using the names and details of legitimate businesses to trick investors with fake websites or social media accounts. The difficult global economic conditions produced by the pandemic have made investors vulnerable. Uncertain investors who have faced a tough year may be looking to make up for earlier losses. This makes the promise of high returns more enticing than usual and might lead some to ignore red flags that they would otherwise notice.

Data breaches are the biggest threat

Unfortunately, scams are only a small part of cybercrime. Often, criminals focus on obtaining personal data from businesses, rather than directly stealing money from their immediate victims—whether those are individuals or organisations. Many businesses store vast amounts of customer data from thousands or millions of customers, including names, addresses, contact information, credit card data, and purchase histories. This type and volume of data is extremely valuable but doesn’t inherently threaten the business from whom the information is hacked. Because of this, many businesses may not take appropriate measures to protect the data.

Other businesses might take measures to protect their data, but don’t think twice before sharing information with international subsidiaries, suppliers, or business partners who may be much more vulnerable to attack. While some effort is made in cases like these, individuals are hardly better protected in the end. The Privacy Act 2020 regulates these kinds of offshore transfers of personal information while also working to mitigate the damage caused by data breaches, and clarifying the extraterritorial scope of the law.

Ignoring data protection is no longer an option

As of December 1, businesses who hold personal data are legally required to report breaches that have caused or are likely to cause “serious harm” to the Privacy Commissioner, as well as any other relevant individuals. To determine the likelihood that serious harm may be caused, the Privacy Act 2020 provides guidelines to consider:

-    Actions taken by the business to reduce the risk of harm following the breach;
-    Whether the personal data is sensitive in nature;
-    The type of harm that may be caused to victims;
-    Who obtained (or who could obtain) the personal data as a result of the breach; and
-    Whether the personal information is protected by any security measure.

Fines and enforcement

To help enforce compliance, the  Privacy Act 2020 empowers the Privacy Commissioner to issue compliance notices and to demand the release of personal information in some cases. It does not, however, provide the kinds of protections or enforcement mechanisms found in the EU’s GDPR or California’s CCPA.

The US, EU, and UK have the ability to issue eye-watering fines for data breaches to motivate major data-collecting businesses to expend the resources and effort needed to keep their data secure. The Privacy Act 2020 doesn’t go this far, but it has raised penalties for compliance violations from $2,000 to $10,000 , allowed class actions depending on the circumstances, and introduced potential criminal penalties in more serious cases. This is, in part, because both social and traditional media have begun to provide significant external motivation to take data security seriously.

Spurning data security carries extralegal consequences that shouldn’t be ignored

In recent years, large data breaches have increasingly made international headlines, while news of smaller breaches are aggressively shared on social media platforms. This results in backlashes against businesses who fail to secure their data, or who don’t report breaches as soon as they are detected. Consumers who fear that their data isn’t in safe hands will take their business elsewhere.

A 2017 study of customers affected by data breaches done by the Ponemon Institute and Centrify found that 65% of respondents “lost trust” in the organisation that was hacked, and 27% discontinued their relationship. This means that, even for many businesses in the EU or UK, the loss of trust resulting from a data breach will cost even more than the astronomical fines imposed by their governments.

Our View

Our Enterprise Risk and Compliance team has spent the past several months ensuring that all internal business unit processes comply with the Privacy Act 2020. At Trustees Executors, we handle and store sensitive information as a matter of course. Because of this, we make every effort to validate our clients’ trust in us and the data security we maintain. Continual testing and regular training for our people, technology and policies will continue going forward, as we see this area is of the utmost importance.

The Privacy Act 2020 is an important step toward providing Kiwis with the data security they need to confidently operate in a data-driven digital society. While not all businesses hold highly sensitive financial and legal information about clients, even relatively mundane personal information can cause harm when it gets into the wrong hands. Because of this, it’s important that everyone, even businesses who might not consider the personal information they hold to be “sensitive”, needs to treat data with respect, and take data security seriously.