If your business has responsibilities under the Privacy Act 2020, then, as specified by the Privacy Breach Guidelines, you must notify affected individuals and the Office of the Privacy Commissioner (OPC) when a privacy breach occurs.

An organisation will have obligations under the Privacy Act if it is a New Zealand government agency, has an annual turnover of more than NZ$3 million, or falls into one of these categories.

As such, you need to be prepared in case a privacy breach occurs in your business.

It is important to have a Data Breach Response Plan to make sure that you fulfil your obligations to the individuals you’ve collected data from, and to the OPC.

What Are Privacy Breaches?

A privacy breach happens when an individual’s personal information is lost by an organisation or is subjected to unauthorised access or disclosure.

There are many different scenarios in which a privacy breach can occur. They could be:

  • If your customers’ personal information is stored on a device, and this device goes missing or gets stolen
  • If you have a database with your customer’s information that gets hacked
  • If personal information accidentally gets given or relayed to the wrong person

What Is A Data Breach Response Plan?

A Data Breach Response Plan is a framework setting out the roles and responsibilities that need to be taken to manage a privacy breach if one were to occur.

A business’ Data Breach Response Plan needs to be a comprehensive plan in writing that ensures all staff are aware of their roles in the case of a privacy breach.

Your Data Breach Response Plan should be easily accessible to all your staff so that it can be retrieved on short notice.

The OPC recommends that Data Breach Response Plans should be tested regularly to ensure that they are up-to-date and effective. How regularly testing should be conducted is based on various factors such as:

  • The size of your business
  • The nature of your business
  • The extent to which an individual will be affected if a breach was to occur
  • The nature of the information you collect (i.e. how sensitive is it?)

Why Do I Need A Data Breach Response Plan?

It’s recommended that you have a Data Breach Response Plan to make sure your business can respond to any breaches in a timely manner.

A quick response will be important in decreasing the impact of a breach on individuals, reducing the cost of handling the breach, and minimising the potential for the breach to damage your goodwill and reputation.

Responding to privacy breaches in a quick and efficient manner also lets your clients know that your business takes privacy seriously.

What’s In A Data Breach Response Plan?

Your Data Breach Response Plan should address:

  • What is considered a privacy breach: Different businesses may have different definitions of what constitutes a breach. Your plan should also include potential examples, based on the nature of your business.
  • Strategies for containing, assessing and managing the privacy breach: The plan should include actions for your staff, address requirements under law (e.g. requirements under the Privacy Act 2020), and outline a standard and clear way of communicating with affected individuals and businesses.
  • Documents: You should detail your methods of recording incidents, as this will help demonstrate how your business remains compliant with your legal obligations.
  • Review: This is to evaluate the response post-breach and to improve processes.

The OPC has a guide that is useful in formulating your own Response Plan.

Need Help?

Putting together a Data Breach Response Plan can seem like a daunting task, but it is crucial for businesses to have one, particularly if you have obligations under the Privacy Act 2020.

Responding in the most efficient manner is important to maintain trust in your business, and to ensure the effect of the breach is contained.

Get in touch with us at [email protected] or call us on 0800 002 184 if you have any questions regarding Response Plans or your obligations under the Privacy Act.

Abinaja Yogarajah
Abinaja is a legal operations manager at Sprintlaw. After completing a law degree and gaining experience in the technology industry, she has developed an interest in working in the intersection of law and tech.
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Data Breach Response Plan

Equip yourself to deal with data breaches.
Learn More

Data Breach Notification

Make sure your business is ready to respond to a data breach.
Learn More

Privacy Incident Response Plan

Equip yourself to deal with data breaches.
Learn More

Small Business Lawyers

Our expert small business lawyers are just a click away
Learn More

Sell Your Business Online

Learn More
Related Articles
How Do I Protect Customer Data?
Posted 31st January, 2024
A Guide To The Privacy Act 2020
Posted 24th January, 2024
Business Call Recording Laws In New Zealand
Posted 24th January, 2024
Get A Cross-Border Data Processing Agreement
Posted 24th January, 2024
Is ChatGPT Copyright Free?
Posted 24th January, 2024
New Zealand Law Data Breaches: What You Need To Know
Posted 24th January, 2024