The New Zealand Privacy Act 2020 came into effect on December 1, 2020 and brings several significant changes that businesses and non-government organizations (NGOs) need to be aware of. This updated legislation aims to enhance privacy protections and align with international privacy standards, such as the European Union's General Data Protection Regulation (GDPR).

Here's a closer look at what's new and important for businesses and NGOs to understand:

Key Changes in the Privacy Act 2020:

1. Mandatory Reporting of Privacy Breaches: Organisations are now required to report serious privacy breaches to the Privacy Commissioner and affected individuals. This includes unauthorised access to or disclosure of personal information that causes or is likely to cause, serious harm.
2. Compliance Notices: The Privacy Commissioner can issue compliance notices to organisations that have breached the Act or are at risk of breaching it. These notices can require organisations to take specific actions to comply with the Act.
3. Cross-border Data Flow Requirements: Organisations must ensure that personal information transferred outside of New Zealand is protected by comparable privacy standards. This includes requiring organisations to undertake due diligence when engaging overseas service providers.
4. Enhanced Penalties: The Act introduces higher penalties for non-compliance, with fines of up to NZD $10,000 for individuals and up to NZD $1 million for organisations.
5. Strengthened Privacy Commissioner Powers: The Privacy Commissioner has enhanced powers to enforce compliance with the Act, including the ability to issue compliance notices, conduct investigations, and seek penalties for non-compliance.

What Businesses and NGOs Need to Do:

• Review and Update Privacy Policies: Ensure that your organisation's privacy policies are up to date and comply with the new requirements of the Privacy Act 2020. This includes clearly stating how personal information will be collected, used, and protected.
• Implement Privacy by Design: Incorporate privacy considerations into the design of your organisation's products and services. This includes implementing privacy-friendly practices such as data minimisation and encryption.
• Training Kaimahi (Staff): Educate your kaimahi about their obligations under the Privacy Act 2020 and how to handle personal information securely. This can help prevent privacy breaches and ensure compliance with the Act.
• Implement Data Breach Response Plans: Develop and implement a data breach response plan to quickly and effectively respond to privacy breaches. This should include procedures for identifying, containing, and notifying affected individuals and the Privacy Commissioner.
• Review Data Handling Practices: Regularly review your organisation's data handling practices to ensure compliance with the Privacy Act 2020. This includes conducting privacy impact assessments for new projects or initiatives that involve the collection or use of personal information.
• Engage with Overseas Service Providers: If your organisation engages overseas service providers, ensure that they have adequate privacy protections in place. This may include contractual provisions requiring them to comply with the Privacy Act 2020 or equivalent privacy standards.

The New Zealand Privacy Act 2020 introduces significant changes that require businesses and NGOs to take proactive steps to protect the privacy of individuals. By understanding the new requirements of the Act and implementing appropriate measures, organisations can enhance their privacy practices and comply with the law. 

Understanding your next steps can be tricky - please reach out if you need to kōrero and explore your next steps.