This article is co authored by Jodi Ellmers and Jessie McKenzie.
Our smart phones, smart homes and smart cars allow companies to track and analyse our behaviour all the time. There is value in this data – and competition to make money from it.
Things have gotten a little out of hand with respect to privacy but regulators have now caught up. Laws with global reach are now forcing businesses to take privacy seriously and the fines are staggeringly high.
Last week British Airways was fined £183m for a privacy data breach. Google was recently fined €50m by the French regulator for breaking privacy rules around transparency when users create an account. And Facebook has set aside $3-5 billion in anticipation of its liability under Canadian privacy laws for providing user data to a political consulting firm.
Consumers are also becoming more aware of their rights. They care about protecting their personal data and want control over how it’s collected and used.
Businesses must take privacy seriously but smart boards and management teams are also taking steps to extract value from their business’s data, to protect it, and to leverage it for a competitive edge.
So how do you walk that tightrope? By knowing and sticking to the rules.
Data must be legally collected and used only for the purposes your business requires. This might include ensuring that data can legally be transferred on a business sale – something that is often overlooked.
New Zealand’s privacy laws are currently being overhauled. A new Privacy Bill was introduced in March 2018 and is expected to come into force in March 2020. It will replace the outdated Privacy Act 1993.
What Is Personal Data?
The current Privacy Act defines personal information as “any information about an identifiable individual”. This is very broad. If there is a reasonable chance that someone could be identified from the data, then it would fall within this definition. It is also important to remember that personal data doesn’t need to be “secret” or “sensitive”. If in doubt, always err on the side of caution and assume that your business is dealing with personal data to ensure compliance with the Privacy Act.
What’s At Stake?
Non-compliance with the Privacy Act is a real business risk. There is a lot to lose, including:
- you don’t want your business to be in the headlines for Privacy Act breaches or poor privacy practices.
- Compensation for breaches
- The Human Rights Review Tribunal can award compensation or damages to an individual for privacy breaches. The most that the Tribunal has awarded was $168,000 (this was in a particularly egregious case).
- Contractual breaches
- in many cases, failure to comply with the Privacy Act will breach your supplier, customer and other business contracts. The consequences can include termination and/or damages for loss arising from the breach.
- Costs associated with remediating a privacy breach
- Don’t underestimate the time and resources required to remedy a privacy breach – e.g. engaging experts to investigate (and PR companies to minimise reputational damage), and then contacting all of those impacted (something which will be mandatory when the Privacy Bill comes into force).
Privacy is a hot topic and it is here to stay.
If you would like more information on what’s required under the Privacy Act and some practical tips on how your business can comply, please click on these links.