Compliance Checklist for New Zealand’s new Privacy Act

Notify privacy breaches within 72 hours

Organizations must notify privacy breach that has caused serious harm to the affected individual or is likely to do so, to the Privacy Commissioner and the affected individuals as soon as practicable or within 72 hours after becoming aware of the breach. Where it is not reasonably practicable to notify the affected individual or each member of a group of affected individuals, organizations must notify the public in a manner that no individual is identified. Companies that fail to notify privacy breaches without any reasonable excuse would be liable on conviction to a fine not exceeding $10,000.

Notify privacy breaches caused by any outsourced third-party

Where an organization outsources data storage or data processing activities to a third-party, the third-party will be considered an agent to the organization. The principal data collecting organization will be responsible to fulfill the breach notification obligations, despite the fact that the breach is caused by any third-party acting as its agent. Anything relating to a notifiable privacy breach that is known by any employee or member of the third-party will be considered to be known by the principal data collecting organization.

Respond to data access requests not later than 20 working days after the day on which the request is received

Organizations must respond to a data subject’s access request as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received. Where an organization refuses to respond to an access request, the individual has the right to complain before the privacy commissioner who may issue a binding access determination requiring the company to disclose personal information to the individual.

Respond to data correction requests not later than 20 working days after receiving the request

Organizations must decide whether or not to grant a data subject’s correction request as soon as is reasonably practicable after receiving a request and in any case not later than 20 days after receiving the request and notify its decision to the requester. Where an organization has to transfer the request to another organization, it must do so promptly, and in any case not later than 10 working days after receiving the request and notify the requester accordingly.

Ensure that data subjects are aware of the purpose of their data collected

Organizations must inform data subjects about the facts that their information is collected, the purpose for which the data is collected, the intended recipients of the information, the consequences of not providing the information, and the data subjects’ rights to access to and correction of their data. An organization must not use any personal information that was obtained in connection with one purpose for another purpose except with the authorization of the data subject.

Ensure comparable privacy safeguards to those that apply under New Zealand’s Privacy Act before transferring personal information outside New Zealand

Organizations can transfer personal information outside New Zealand only if the destination country provides comparable safeguards to those in New Zealand’s Privacy Act, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the data subject expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

New Zealand’s Privacy Act 2020 applies to New Zealand entities as well as to overseas entities in the course of carrying on business in  New Zealand, irrespective of their size, geographical location, and whether or not they are registered in New Zealand.

Ask for a DEMO today to understand how Securiti can help you comply with New Zealand’s Privacy Act 2020, GDPR, and a whole host of other global privacy laws and regulations, such as the CPRA, with ease.