4 Action Steps to Prepare your Business for the upcoming Privacy Act Changes

With NZ privacy laws changing and the revised Privacy Act coming into play on the 1st December 2020, make sure your business is prepared. To ensure you have the knowledge to stay on top of this, we have put together four action steps you can take now, to prepare for these changes.  

1. Client Information and Data Storage  

It is common for employees to temporarily store company information on their personal local workstations and forget to remove the data once they no longer require it.  

It is important to educate your employees on the appropriate methods set out by the Office of Privacy Commissioner, and you their employer, for collecting and storing client data. It is highly recommended that only necessary information is obtained and stored. 

The new Privacy Act 2020 requires all businesses in New Zealand to notify the Privacy Commissioner and the affected individuals, of any data breach. In the event of a data breach, if client information is being targeted, leaving your client’s data unprotected puts their privacy at risk. 

NotifyUs Online Tool 

The NotifyUs online tool is a breach notification tool which determines if a breach needs to be reported.  

Under the Privacy Act 2020 (effective 1 December), if your organisation has a privacy breach that is likely to cause anyone serious harm, it is legally required to notify us and any affected persons as soon as it is practicably able to. 

– Office of the Privacy Commissioner 

2. Back-up your data 

Data back-up is crucial to ensure the survival of your business. In the event of a data breach, having your information backed up will allow your business to continue to operate, and notify those that are affected.  

We recommend using the 3-2-1 Principle, which suggests your business keeps at least three copies of your data on hand. Two copies should be stored securely onsite whilst the third is kept offsite. 

3. Secure your client data  

Your client’s privacy should be your top priority. It is recommended that any client data, held in applications or documents that contain personal information, is secure and placed within a password-protected location. It is highly recommended that you enable multi-factor authentication (MFA) to provide a higher level of protection. 

If your client data is stored on a cloud server, ensure the provider is taking the necessary security precautions to protect the privacy of your clients. 

Protection is always better than cure. Improving your data security is the best approach. Utilising an Endpoint Detection and Response solution will help protect the data you hold. 

4. Data Management and Retention  

Some software applications being used for data management can be customisable with expiry pre-sets. This means data that is no longer needed, or exceeds the regulatory hold time, is automatically deleted on time.  

Your Customer Relationship Management (CRM) or Data management software helps you to regularly conduct checks on your client lists, as well as clean-ups and updates on client information.   

What steps can you take?  

  • Update your client list with regularity. If possible, avoid taking customer information that isn’t required for the purpose of their signing on with your business. It may be possible to automate this process if you are using multiple systems and the data needs to be synced across.   

  • Remove client data when the client leaves, especially from your promotional and marketing-related contact email lists. 

  • Be aware of your Data Retention Policy, which is the regulatory hold time of your data. Your organisation should hold documentation that will stipulate when data no longer serves its purpose and should be removed.  

  • If a client no longer wishes to have their information on file, ensure to remove their information in a timely manner. If their data is legally required to be kept on file, make sure:  
    • The client is informed and aware 
    • A record of the client being informed is kept on hand  
    • The client is not contacted for marketing purposes  

  • When choosing a data storage platform like a CRM system or a server for your organisation, ensure that you consult a specialist to make sure it has adequate security and complies with new laws. 

Staying on top of the new Privacy Act changes and educating your team on how to handle client information is worth the investment for your business.   

If you need help choosing the right solution to store and manage your data, please get in touch with us at Think I.T.  

*This blog is written to inform you about some of the data privacy law changes that are taking effect and how to better protect your organisation. If you need to consult someone regarding the law or have questions specific to privacy, please contact the Office of the Privacy Commissioner.  

Malcom Dale, Director
"You can really rely on Think I.T. The whole team is responsive and proactive. For us, they are not just a technology provider but also our expert advisers, giving us professional, informed advice even where the best solutions aren't necessarily in their own interests."

Malcom Dale, Director
gardyneHOLT design partners
10-20 users, Think I.T client since 2000


Are your employees up to date on their security awareness?

Cyberwarfare is a part of a new reality as evidenced by the distributed denial-of-service (DDoS) attacks targeting the websites of the Ukrainian defence ministry, army, and two of the country’s largest banks several days before the Russian invasion. These were the most significant attacks of this kind the country has ever faced, according to government officials. The U.S....  more...