New data privacy rules are coming in NZ — businesses and other organisations will have to lift their games

Most people these days are aware that what they share online is both valuable and vulnerable. Data privacy has become a major concern for consumers and corporations alike. The issue will come to a head when New Zealand’s Privacy Act 2020^[1] comes into force on December 1.

The legislation replaces and updates the 1993 act. Its key purpose is to promote people’s confidence that their personal data and information are secure and will be treated properly.

The act makes notification of privacy breaches^[2] mandatory. Organisations receiving and collecting data will now have to report any privacy breach they believe has caused, or is likely to cause, serious harm.

Those organisations can also be issued with compliance notices that require them to do something, or stop doing something, in order to comply with the law.

It will be in their interests to quickly adapt to the new regulations — not just legally, but also commercially. Our research^[3] suggests building consumer trust is critical for organisations that require customers to share information with them online.

However, a recent survey^[4] commissioned by global technology company Masergy revealed 70% of business leaders find data security challenging.

Ethics must keep pace

This is a concern in a technologically driven business environment. The collection and analysis of consumer data are now integral to many industries. The high degree of personalisation and convenience this allows gives many businesses their competitive advantage.

Because of this, data analytics will be among the most important technology investments^[5] for New Zealand companies over the next 12 months. With COVID-19 driving increased e-commerce and digital activity, we can expect significant increases in consumer data being exchanged online.

Read more: Big Data is useful, but we need to protect your privacy too^[6]

At the same time, the fast pace of technological transformation risks important ethical considerations about data ethics and data governance^[7] being overlooked.

As the recent Netflix documentary The Social Dilemma^[8] highlighted, the growth of social media, e-commerce and online data surveillance (sometimes known as “dataveillance”) has built a huge system of information accumulation.

This enables organisations to anticipate and change consumer behaviours to drive revenue and gain market control. How they responsibly govern themselves will only become more important^[9].

New Zealand has a good record

Internationally, the European Union’s 2018 General Data Protection Regulation (GDPR^[10]) has had a significant impact on international data flows well beyond the EU’s own borders.

GDPR allows the transfer of personal data between countries only if adequate data protection is guaranteed. The level of data protection has to be demonstrated at country level, and the EU has certified^[11] New Zealand as “providing adequate protection” of privacy.

This is good news, but organisations will need to ensure their approach to privacy^[12] shifts from “are we compliant?” to “are we compliant and doing the right thing?”

Read more: People want data privacy but don't always know what they're getting^[13]

Putting customer concerns first

There are several measures we think will help organisations build this trust and comply with the law:

• being aware of the regulations, including the GDPR and the mandatory data breach reporting provisions in New Zealand’s Privacy Act 2020, as well as other data protection laws that may apply when operating a business internationally

• using data experts to design effective governance frameworks that ensure data security and protection

• emphasising transparency — organisations should be able to demonstrate to consumers how their data may be used and the specific benefits they can expect from the data disclosures they make

• empowering customers — organisations must develop data strategies that will place customers in control of the information they decide to share, while demonstrating how information may be used to benefit others

• promoting “privacy by design” approaches that allow customers to match their data-sharing preferences with their privacy level preferences.

The Privacy Act 2020 and the GDPR framework will force organisations to recognise the value of their data and be more aware of the growing legal thresholds they need to meet.

But the penalties and reputational risks of noncompliance should not obscure the clear commercial benefits of voluntarily adopting ethical, customer-first business practices.

References

1. ^{^} Privacy Act 2020 (www.privacy.org.nz)
2. ^{^} notification of privacy breaches (www.privacy.org.nz)
3. ^{^} Our research (www.emerald.com)
4. ^{^} recent survey (www.masergy.com)
5. ^{^} technology investments (www.nzherald.co.nz)
6. ^{^} Big Data is useful, but we need to protect your privacy too (theconversation.com)
7. ^{^} data ethics and data governance (www.emerald.com)
8. ^{^} The Social Dilemma (www.netflix.com)
9. ^{^} more important (hbr.org)
10. ^{^} GDPR (ico.org.uk)
11. ^{^} certified (ec.europa.eu)
12. ^{^} approach to privacy (www.emerald.com)
13. ^{^} People want data privacy but don't always know what they're getting (theconversation.com)