- Mandatory notifications of privacy breaches – both to the affected parties and to the Privacy Commissioner;
- The Privacy Commissioner has the power to issue non-compliance penalties of up to NZ$10,000. It will be interesting to see if these rise in time. In comparison, the equivalent legislation in Australia has penalties of AUD$2.1m (although last year the Australian Government announced its intention to increase these) and in the EU, the GDPR fines reach the greater of €20m or 4% of the global annual revenue;
- If sharing information overseas New Zealand organisations must ensure that those in receipt can implement similar levels of privacy protection to those in New Zealand;
- The Act also applies to organisations without a physical presence in New Zealand who collect, process or store personal information of New Zealanders.
(Read more in the NZ Privacy Act 2020: Update 1 publication put out by the international law firm Wotton + Kearney)
There are significant changes for most businesses in New Zealand.
Overseas, mandatory reporting led to increased numbers of reported security breaches as well as an increased uptake of cyber insurance policies. Dependent on the amount of personal records held, and the scale of the data breach, the costs to notify can be significant.
VL’s cyber insurance is one means to mitigate the costs arising from notification of privacy breaches.
If you wish to discuss any aspect of this issue, please contact Dan Lowe - VL’s Cyber Specialist or your VL underwriter.