'Most Innovative Startup 2020' by RSA - Watch the pitch video

View More

On 1 December 2020, New Zealand’s new Privacy Act 2020 came into effect. Our experts at SECURITI.ai have compiled the following list of compliance actions to remind organizations of their obligations under New Zealand’s new Privacy Act.

1. Notify privacy breaches as soon as practicable after becoming aware of the breach

Organizations must notify privacy breach that has caused serious harm to the affected individual or is likely to do so, to the Privacy Commissioner and the affected individuals as soon as practicable after becoming aware of the breach. Where it is not reasonably practicable to notify the affected individual or each member of a group of affected individuals, organizations must notify the public in a manner that no individual is identified. Companies that fail to notify privacy breaches without any reasonable excuse would be liable on conviction to a fine not exceeding $10,000.

2. Notify privacy breaches caused by any outsourced third-party

Where an organization outsources data storage or data processing activities to a third-party, the third-party will be considered an agent to the organization. The principal data collecting organization will be responsible to fulfill the breach notification obligations, despite the fact that the breach is caused by any third-party acting as its agent. Anything relating to a notifiable privacy breach that is known by any employee or member of the third-party will be considered to be known by the principal data collecting organization.

3. Respond to data access requests not later than 20 working days after the day on which the request is received

Organizations must respond to a data subject’s access request as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received. Where an organization refuses to respond to an access request, the individual has the right to complain before the privacy commissioner who may issue a binding access determination requiring the company to disclose personal information to the individual.

4. Respond to data correction requests not later than 20 working days after receiving the request

Organizations must decide whether or not to grant a data subject’s correction request as soon as is reasonably practicable after receiving a request and in any case not later than 20 days after receiving the request and notify its decision to the requester. Where an organization has to transfer the request to another organization, it must do so promptly, and in any case not later than 10 working days after receiving the request and notify the requester accordingly.

5. Ensure that data subjects are aware of the purpose of their data collected

Organizations must inform data subjects about the facts that their information is collected, the purpose for which the data is collected, the intended recipients of the information, the consequences of not providing the information, and the data subjects’ rights to access to and correction of their data. An organization must not use any personal information that was obtained in connection with one purpose for another purpose except with the authorization of the data subject.

6. Ensure comparable privacy safeguards to those that apply under New Zealand’s Privacy Act before transferring personal information outside New Zealand

Organizations can transfer personal information outside New Zealand only if the destination country provides comparable safeguards to those in New Zealand’s Privacy Act, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the data subject expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

New Zealand’s Privacy Act 2020 applies to New Zealand entities as well as to overseas entities in the course of carrying on business in  New Zealand, irrespective of their size, geographical location, and whether or not they are registered in New Zealand.

Ask for a DEMO today to understand how SECURITI.ai can help you comply with New Zealand’s Privacy Act 2020, GDPR, and a whole host of other global privacy laws and regulations, such as the CCPA, with ease.

Share this

Our Videos

View More
3:00

Data Intelligence

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Learn More
data mapping video thumbnail View More
3:00

Data Mapping Automation

Simplify gathering information, dynamically update your data catalog, and automate assessments and reports

Learn More
View More
02:40

An IT Leader’s Perspective on CCPA

Meet Brian Lillie, Former CPO at Equinix as he discusses the potential challenges of CCPA and how the PrivacyOps framework can be the key to unlocking compliance.

Learn More
Most Innovative Startup 2020 SECURITI.ai View More
03:42

RSA Innovation Sandbox 2020: SECURITI.ai

Watch the 3-minute pitch presented by Rehan Jalil on SECURITI.ai in the RSAC Sandbox Competition

Learn More
CCPA View More
07:10

CCPA Compliance

CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.

Learn More
Assessment Automation View More
2:25

Internal Assessment Automation

Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.

Learn More