As data sharing becomes a red-hot issue, the NZ government is bringing in some new rules about privacy, coming into effect before March 2020 (not that far off!).
This introduces bigger penalties for not sticking to our privacy legislation, and stricter enforcement. As an individual, that’s all good news, helping you control who knows what about you. As a business owner, it means compliance just got a little tougher (again).
So, it’s probably time to review how you look after information about your staff and customers.
It doesn’t have to be Fort Knox, but you do need to take some reasonable precautions to safeguard private data. This will look different depending on the size and nature of your business.
It’s not just about your responsibility to keep info private - it’s also about your obligations to share it.
If a customer or employee requests a copy of their own information, you have to hand it over within 20 working days. If this happens, take care that you only provide them with their personal data, and not anybody else’s, even though you’re likely storing it by group.
The new laws say that the Privacy Commissioner can serve a compliance notice to a company that doesn’t hand over information quickly enough when it’s requested.
Under the Privacy Bill 2018, you’ll have a new responsibility to report breaches of any private information, if the breach could cause “serious harm”. If there’s a “hack” or some dodgy activity on a system where you’re keeping sensitive records, you have to let those affected know. It could even be something as simple as accidentally emailing a confidential attachment to the wrong contact. If something happens and you keep it to yourself, you might end up with a $10,000 fine.
The update also says that if you’re using a cloud service provider that’s based overseas, you’d better check they’re compliant with New Zealand’s laws. For example, if you’re storing staff and customer records through Dropbox or Google Drive, that means they’re held by a US company. You need to make sure that information still has all the right protections. (PaySauce customers, don’t fret - we’re 100% Kiwi and we play by NZ rules when it comes to your employees’ data). If someone’s personal info is going to an overseas organisation that doesn’t follow NZ rules, you need to get their permission.
New to all this privacy stuff? Don’t do a Zuckerberg. Be transparent! Create a clear, honest privacy statement and make sure all your customers see it. Here’s a pretty awesome tool to help you build a custom-made privacy statement, really easily. You might find that the questions in this tool actually help you reassess what information you’re collecting, and why.
You’ll probably want to draft up a plan for how you would notify affected customers if a data breach did occur, and make sure there’s a Privacy Officer in your company. That’s just somebody who’s in charge of keeping everybody on the straight and narrow, and dealing with any confidentiality questions or issues.
See the new Privacy Bill here.
Want to talk about privacy, payments, or the people part of business? We’re always up for a yarn. Punch in 0800 746 701 or head here.