Cybersecurity and data protection must now be on the radar of all businesses. No matter your industry, the demographics of your market, or the types of goods/services you provide, you’ll know that collecting data is part of the fabric of your business. Some 64.2 zettabytes of data is created, captured copied and consumed globally – and that number continues to grow.
The data protection landscape is changing rapidly, in New Zealand and globally. New Zealand’s privacy laws require organisations that hold personal information about individuals comply with a range of specific legal requirements related to how that information is collected, stored, accessed and disclosed.
At the same time, New Zealand organisations are rapidly adopting cloud computing as a way to drive greater efficiencies and digitise their offerings – a trend that has significant bearing on this collection, storage and exchange of data. We think it is important to highlight the potential impacts privacy law may have on your business, and get you thinking about the advantages the cloud may offer you in terms of data security.
The New Zealand Privacy Act (2020) for the cloud – The fundamentals
Data privacy has recently undergone major legislative change in New Zealand. The New Zealand Privacy Act 2020 is now the framework for protecting personal information, and outlines how all organisations and agencies must do that. For most, cloud-based or not, the impact of these updates require significant systems and process change to ensure compliance.
The Act has a number of key elements we think you must be aware of:
- The second key point (one with particular implications for cloud users) is that data sovereignty requirements in the Act state that personal data cannot be stored outside of New Zealand unless the privacy rights in the hosting country are legally equivalent to New Zealand. Cloud users need to make sure their host country has high standards of privacy protections for the data stored there.
- The collection of personal data is now only allowed for business purposes, so no personal data can be collected if it’s not needed. With this, there’s the expectation that businesses will be upfront about how they’re collecting data, and what data they are collecting. For example, if you’re website collects location data of visitors, you’ll need to make this clear to them when they visit.
- There is also now a legal responsibility that customers’ personal information is safe and protected against cybersecurity threats, and many data security considerations. All sensitive data should be encrypted and password protected, software should be kept up to date, anti-malware software should be used on all devices, data should be backed up, two-factor authentication used, all interactions with customers’ personal information tracked, the business network must be secure and, finally (as well as importantly), there must be a response plan in place for if things go wrong.
- Transparency is now expected with use of customers’ personal data. This data cannot be disclosed to third parties, unless: you have specific permission, sharing the data is why you collected it in the first place, and this was clearly articulated, the data will be fully anonymised if it is shared, or the data is required for a legal matter.
Actioning your cloud privacy programme
Cloud based privacy law sets out that enterprises are responsible for any personal information given to a cloud partner or provider. We recommend attending to four key areas when planning and actioning your cloud privacy programme:
- Clearly stating and restricting what your clients’ personal information can be used for
- Limiting who has access to it, and who it can be shared with
- Storing information securely, and only for as long as necessary
- Allowing your customers to access and correct their own personal information
- Proactively catering for breach scenarios, and having carefully prepared breach reporting approaches in place.
The stakes are high. Poor privacy management can mean significant legislative and financial consequence, not to mention reputational damage. If you aren’t sure whether or not you are complying with best practice (and lawful) data security protocols, consult your local CCL office.