Data Protection and Cybersecurity in New Zealand: Why The Time is (Always) Now

Why Data Protection and Cybersecurity Matter for Businesses

In an increasingly digital world, data protection and cybersecurity have become critically important for businesses. As companies collect, store and process more and more data, the risks relating to privacy and cybersecurity continue to evolve. Ensuring compliance the Privacy Act 2020 (Privacy Act), while mitigating cybersecurity risks, is a fundamental aspect of keeping customer data safe, and protecting a business’s commercial interests.

Understanding New Zealand’s Privacy Act 2020

Key Changes in the Privacy Act

The Privacy Act is the foundation of data protection in New Zealand. It replaced the Privacy Act 1993 and introduced significant changes to align with global best practices, including by drawing on elements European Union’s General Data Protection Regulation (GDPR) – though it lacks the ‘teeth’ that the GDPR has. The Privacy Act applies to any organisation or business that collects and uses personal information (known as ‘agencies’ for the purposes of the Act).

Privacy Act Compliance Requirements

Among other things, under the Privacy Act, agencies are required to:

• only collect information for a lawful purpose that is necessary for their business operations;
• ensure data accuracy and security when handling personal information;
• inform individuals when collecting their data, including the purpose of collection;
• allow access and correction for individuals to view and amend their personal information; and
• report notifiable privacy breaches to the Office of the Privacy Commissioner (Commissioner) and affected individuals if the breach causes or is likely to cause serious harm.

Failure to comply with the Privacy Act can result in enforcement action by the Commissioner, not to mention reputational damage and other legal consequences.

Cybersecurity Best Practices for New Zealand Businesses

While the Privacy Act governs the handling of personal information, businesses must also consider their broader cybersecurity obligations.

Best practices include:

• Data encryption: Sensitive data should be encrypted both in transit and while being stored, helping to prevent unauthorised access.
• Access controls: Implementing robust access controls ensures that only authorised personnel have access to confidential information.
• Incident response plans: Organisations should develop and regularly update incident response plans to manage and mitigate the impact of cyberattacks.
• Employee Training: Regular cybersecurity training for staff is essential to minimise human error.
• Third-Party Risk Management: Businesses must ensure that third-party vendors and partners comply with cybersecurity standards and contractual obligations.

Legal Protections Against Data Breaches & Cyber Threats

Clear contractual terms help to mitigate legal risks associated with data protection and cybersecurity.  Key areas to focus on include:

• Data protection obligations: Ensuring that commercial contracts include robust data protection clauses. This is particularly important when engaging with third-party service providers who process data on behalf of a business.
• Liability Clauses: Clearly allocating liability for data breaches and ensuring there is clear responsibility for cybersecurity obligations.
• Cross-Border Data Transfers: Ensuring the contracts are consistent with legal requirements for transferring personal data overseas. Under the Privacy Act, agencies must ensure comparable privacy protections when sharing data internationally.
• Insurance: Cyber insurance policies can mitigate financial risks associated with data breaches and regulatory penalties.

Data protection and cybersecurity are no longer just technical issues – they are legal imperatives for businesses operating in New Zealand. The Privacy Act sets a robust framework for safeguarding personal information, while the increasing threat of cyberattacks requires proactive and comprehensive risk management. By integrating robust legal protections with cybersecurity best practices, businesses can navigate complex regulatory environments, while fostering trust and protecting their commercial interests in the digital age.