12 January 2021

Privacy breach response plan: is your business prepared?

The biggest change of the Privacy Act 2020, which came into effect on 1 December 2020, was the requirement for businesses to notify the Privacy Commissioner of a privacy breach. 

Adopting a privacy breach response plan and holistic privacy management framework, can help ensure businesses are prepared to meet these new obligations.   

While every business is different, there are some common steps owners and managers can take to reduce the risk of non-compliance, and their exposure to compensation claims. 

Privacy breach response plan

Prepare, implement, and test a response plan. This should cover notification obligations under the Privacy Act as well as any other notification steps that may be relevant to your business. Ensure a copy of the plan can be accessed remotely even when systems are locked down following a breach.

Privacy review

Carry out a privacy review (or ‘privacy health check’) to make sure you understand the full life cycle of information within your business, and your privacy practices are up to date.

Supplier and customer contracts

Review your supplier and customer contracts to ensure appropriate provisions are incorporated to reflect the new breach notification obligations. Consider the impact on other provisions, including force majeure, liability, data sovereignty, confidentiality, announcements, and disaster recovery.

Governance

Consider whether your data strategy delivers on your purpose and is consistent with your business values. Does it identify your strengths, weaknesses, and maturity level regarding data?

Privacy statement

Ensure your privacy statements are up to date, and accurately and transparently reflect your collection, use and disclosure of personal information.

Policies and procedures

Update your internal policies and procedures (eg. privacy policies, IT security policies) to support your data strategy and privacy management framework.

Training

Provide regular training to make sure your staff are aware of the policies and procedures in place, and understand their obligations.

Security

It is important your privacy framework is integrated across teams to ensure appropriate security measures (including access controls) are in place to prevent and minimise the risks of a privacy breach.

Retention

Make sure you have a clear record-keeping and document destruction process in place to ensure the information you hold is up to date and securely destroyed when no longer required.

Preserving confidentiality

There is a risk that a privacy breach could lead to legal and regulatory claims. You should ensure your processes for responding to, investigating, and reviewing a breach take legal privilege into account.

Insurance

Review insurance policies to ensure these are appropriate to your business and the risks associated with a privacy breach.

Further information

• What the Privacy Act changes means for New Zealand SMEs
• Cyber insurance
• Office of the Privacy Commissioner