SMBs and the new Privacy Act: will it affect you?

The year 2020 just keeps on giving. Now business owners must come to terms with the new Privacy Act. Ashwin Pal explains just what that means.

The Privacy Act 2020 isn’t a bad thing. For the majority of the New Zealand’s population – those who do not engage in cybercrime as a vocation – this is good. It means people who are affected by a privacy breach have to be informed quickly of the said breach, to help minimise the impact of the breach. This is a critical component of building and keeping customer trust. Us Kiwis are well aware of how a privacy breach might impact us – even in 2020, dominated by COVID-19, New Zealanders’ concern about bankcard fraud and identity theft is only slightly lower than their concern about natural disasters such as pandemics¹.

The new Privacy Act came into effect on 1 December and is an updated version of the 1993 Privacy Act, with new rules around mandatory disclosure of data breaches by businesses and other organisations. It brings New Zealand in line with laws in many other jurisdictions – such as Australia.

The new Act requires organisations to notify the Privacy Commissioner and any affected individuals as soon as possible after becoming aware of a privacy breach or loss of personal information. The Act also includes a new information privacy principle that focuses on the disclosure of personal information outside New Zealand. The aim is to ensure personal information sent offshore remains subject to comparable privacy safeguards as those that apply in New Zealand.

It also increases the Privacy Commissioner’s powers to publish compliance notices and fines for privacy breaches.

There have been several high profile incidents involving data breaches, misuse of personal information and malicious cyber-related attacks in New Zealand over the past year. In fact, reported cybersecurity incidents reached a record high, according to Cert NZ’s Q3 2020 report.

From 1 July to 30 September 2020, Cert NZ received more than 2600 incident reports from individuals and businesses – the highest number to date and a 33 percent increase on the second quarter. The reported financial loss was approximately NZ$6.4 million. This shows that the threat of cybercrime is very real, and that ultimately, the goal of the updated Privacy Act is to limit the number of data breaches in New Zealand and reduce the financial loss caused by cybercrime.

For a small business, staying on top of cybersecurity and privacy requirements is often a challenge as they’re unlikely to have a dedicated Chief Information Security Officer (CISO). In addition, many smaller businesses form part of the supply chain for large organisations, including government agencies, so breaches can have far reaching impact.

A 2019 Unisys cybersecurity survey found that nearly half (47 percent) of the respondents believed their company didn’t make it clear to customers when they were collecting personal data, and those working for small businesses were least likely to believe their approach was based on recognised industry frameworks.

Top tips for compliance

In summary, the new Privacy Act means preparation, internal training and ensuring supplier compliance is essential for all New Zealand companies – regardless of size. My top tips to effectively adapt to the new Privacy Act are:

• Treat data privacy as a business issue – New Zealanders’ high level of concern about data security puts organisations on notice that they risk not just losing data, but also losing business.
• Act with speed – be able to identify and isolate breaches quickly to minimise the impact and to speed recovery.
• Prepare, prepare, prepare – know what the changes are and work towards compliance. First place to start is to update your Privacy Policy and related internal policies and procedures.
• Know your data – find out what Personally Identifiable Information (PII) data you are storing, and where and how is it secured. If it’s not needed, delete it. Don’t keep data “just in case” unless you have a legitimate purpose. You shouldn’t be holding it.
• Understand your third-party suppliers – it is important to know how your third party suppliers are handling PII data as the responsibility for the security of these remains with you.
• Review the personal information your business holds and your information management practices. For example, could you provide someone with their personal information in a timely manner if requested?
• Develop a privacy breach response plan – who needs to be aware and involved?

To effectively comply with the new privacy requirements, even small businesses will most likely need to change how they record and store customer and client data to ensure it’s protected from cybercriminals. For SMBs, one of my key pieces of advice is to move your business to the cloud if you haven’t already done so, as this allows you to leverage the security provided by the cloud vendor. However, you still have to define the security you need and ensure this is provided by the cloud vendor you select. You can outsource responsibility, but not accountability.

Aside from privacy concerns, the cloud can help provide improved access and flexibility, and be an important component in cybersecurity for SMBs. In fact, I’m not alone in favouring the cloud for data storage, as Unisys recently conducted a Cloud Barometer Survey where it polled 88 New Zealand IT and business leaders. More than half said they thought the company’s data was more secure in the cloud than in-house, and cited security as the top reason for moving their apps, data and processes to the cloud.

Lastly, the 2020 Privacy Act will affect you as a business – regardless of size – and the only thing better than a cure, is prevention.

Ashwin Pal (pictured below) is director of cybersecurity at Unisys.

1 – Unisys Security Index 2020: New Zealand – www.unisyssecurityindex.co.nz