DLA Piper warns NZ businesses to be mindful of potential data breach consequences

With the new Privacy Act in force, the firm looks into global regulators’ responses to violations

DLA Piper warns NZ businesses to be mindful of potential data breach consequences

DLA Piper has called for New Zealand businesses to be mindful of the potential consequences of data breaches following the implementation of the new Privacy Act.

“We are only just into 2021 but already privacy and cybersecurity are back on the radar as essential issues facing New Zealand businesses, with the high-profile data breach affecting the Reserve Bank,” the firm said.

The Privacy Act 2020 came into force last December, and “places greater responsibilities on businesses and organisations that collect and use personal information,” said the Office of the Privacy Commissioner. Organisations are now required to report “privacy breaches that have or may cause serious harm.”

The regulation also establishes a new privacy principle that regulates the overseas transfer of personal information.

“Businesses and organisations are now responsible for ensuring that any personal information they send to organisations outside New Zealand is adequately protected,” the Office of the Privacy Commissioner said.

Moreover, the Privacy Commissioner is granted “stronger powers and more tools to ensure businesses and organisations comply,” the department said.

In line with these developments, DLA Piper analysed the findings of a recent global survey on how international regulators have responded to data breaches. According to the firm’s January 2021 General Data Protection Regulation (GDPR) Fines and Data Breach Survey – which looked at the 27 EU member states as well as the UK, Norway, Iceland and Liechtenstein – breach notifications soared by almost 20% in the year to 28 January 2020, from 101,403 breaches to 121,165. 

“Businesses have been fined €272.5m (about $462m) for a wide range of infringements of Europe’s tough data protection laws,” the firm said. “€158.5m ($269m) of fines have been imposed in the last year alone, a nearly 40% increase on the previous 20-month period since the application of GDPR.”

While the NZ Privacy Commissioner has not been accorded power to issue the major fines the way regulators in the UK and Europe can, DLA Piper indicated that NZ businesses “should be watching keenly how breach notifications are dealt with in jurisdictions with more established data breach reporting regimes.”

“Regulators in the EU and UK have been testing the limits of their powers over the last 12 months. It will be interesting to see whether the Privacy Commissioner takes a similar hard-line approach in exercising his new powers under the Privacy Act 2020 (such as the issuing of compliance notices), and how New Zealand businesses will approach mandatory data breach reporting from here on in,” said Nick Valentine, who leads the firm’s NZ data protection team.

Recent articles & video

Government releases 149 projects in Fast Track Approvals Bill

Government backs move to delay implementation of EU Deforestation Regulation

Contact Energy applies for clearance to acquire Manawa Energy

Search ongoing for top young talent in law

Government plans to impose changes on building requirements, penalties

ASB faces civil proceedings for alleged fair dealing breaches

Most Read Articles

NZ Law Awards 2024 to celebrate the best law firm employers

Government plans to impose changes on building requirements, penalties

Insurer faces penalty of over $6m for misleading customers

David Clarke named chief commissioner of Transport Accident Investigation Commission