Sapna has completed a Bachelor of Arts/Laws. Since graduating, she's worked primarily in the field of legal research and writing, and she now writes for Sprintlaw.
Contents
As a business, protecting the data of your customers is not only a legal obligation but also a crucial aspect of building a trusting relationship with them.
When customers trust your business with their data, it’s your responsibility to ensure that their data is not misused in any way.
In this article, we’ll explore how you can protect customer data, your legal obligations around customer data in New Zealand, and other risks you may encounter. Read on to learn more.
What Should I Know About Customer Data Protection?
Data is an extremely valuable asset. It can help businesses better understand their customer base and improve their experience accordingly.
Conversely, the misuse of data can have serious consequences for both customers and businesses.
Therefore, protecting the data of customers should be a high priority for all businesses.
Why Should I Protect Customer Data?
When data is exposed, it can put both you and your customers at risk. Hackers can cause harm with the personal information of individuals, such as their names, addresses, contact information, and bank account numbers.
This kind of identifying information is classified as personal information, which attracts high levels of protection under New Zealand privacy laws (we’ll cover this in more detail later).
For your business, if you have failed to take reasonable measures to protect your customers’ data and it results in a data breach, you can be held responsible.
Moreover, when customer data is hacked, it can be detrimental to your business's reputation, productivity, and finances.
New Zealand Privacy Laws: What They Say About Customer Data
New Zealand privacy laws strictly regulate how businesses must handle customer data.
As a business, you need to be aware of the Privacy Act 2020 and the Information Privacy Principles (IPPs).
These regulations set out the obligations for businesses in terms of data protection, the standards for protecting customer data, and the types of data that can be collected and stored.
Non-compliance with these regulations can lead to legal consequences, so it’s a good idea to familiarise yourself with them!
If you have any questions, feel free to reach out to our legal experts for clarification.
The Privacy Act 2020 also enforces the notifiable privacy breaches scheme. According to the scheme, in certain circumstances where a data breach involving personal information has occurred, the business must notify the Office of the Privacy Commissioner (OPC) and inform the affected individuals in compliance with these rules.
How Can I Protect Customer Data?
Protecting customer data involves identifying risks and then taking measures to mitigate them.
If your business experiences a hacking incident, the main question will be who is liable for the losses. This requires consideration of whether reasonable measures were taken to protect customer data in the first place.
If your business did not have the appropriate measures in place to prevent data breaches (such as investing in robust cyber security systems), then you could be held liable for the resulting losses from the data breach.
Once you have established that you possess information from your customers that needs protection, your business must implement protective measures.
When doing so, it's wise to understand the potential risks you are safeguarding against.
What Are Cyber Security Risks?
Cyber security risks refer to the dangers businesses face when their internal, online systems are compromised.
Information such as personal data, intellectual property, client lists, and other private business matters can be used against a business and their customers when they fall into the wrong hands.
Common types of cyber security risks include:
- Data breaches
- Hacking
- Identity theft
- Phishing
- Scams
- Malware
It’s important to establish a robust cyber security system to protect your business from such risks.
How To Build A Strong Cyber Security System
There are various options and methods for building a strong cyber security system. It's up to you to decide what will work best for your business.
Some ways businesses can strengthen their cyber security systems include:
- Only collecting necessary data
- Limiting who has access to the data
- Deleting data once it is no longer needed
- Consistently updating your protection methods (such as passwords)
- Creating a Data Breach Response Plan - in case a breach occurs, this can help your response be more efficient
You might also consider undertaking a Privacy Impact Assessment (PIA).
A PIA examines your project (or business) and its goals. It then analyses whether the current systems in place are sufficient for protecting data. If not, the PIA will identify any weaknesses and make recommendations for improvements.
The New Zealand government also provides an online Cyber Security Assessment Tool that you can use to evaluate how your business's current privacy practices measure up.
Do I Need A Privacy Policy?
If you are collecting personal data from your customers, it is likely that you will need a Privacy Policy on your website.
A Privacy Policy is a document that informs customers about how their data is being used and collected when they visit your website.
Generally, a privacy policy is required for businesses that have an annual turnover of more than NZ$3 million.
Even if your business has an annual turnover that is less than NZ$3 million, you may still be required to have a privacy policy.
Essentially, any business that is covered by the Privacy Act must follow the IPPs. This includes businesses that:
- Collect any kind of data from their customers
- Provide a service under a commonwealth contract
- Offer health services or obtain health information from their customers
- Buy and sell personal information
If your business meets any of these criteria, then you are likely required to have a privacy policy.
Do I Need A Cyber Security Policy?
While there is no legal requirement in New Zealand to have a Cyber Security Policy, it is still a prudent measure for businesses to adopt one to better protect their data.
Protecting yourself online involves a coordinated effort from all aspects of your business, including staff, management, and the internal systems in place.
A cyber security policy is the official document that all employees of the business can refer to.
It outlines the procedures and daily steps involved in ensuring data remains secure. Cyber security policies often include:
- Who can access which systems and information
- What information can be shared
- The assets that need protection
- The steps employees must take to keep everything secure
- How data is to be handled
- Cyber security training
- Insurance coverage related to cyber security
- Confidentiality matters
What Other Legal Documents Do I Need?
When establishing your business's cyber security, there are additional legal measures you can take to enhance protection.
Proper use of certain legal documents can help safeguard the information you wish to keep private.
Below, we've listed some common ways legal documents are used to protect a business's privacy.
Confidentiality Agreements
Confidentiality agreements are used when you do not want others to disclose private information about your business. They are often included in contracts to maintain the confidentiality of certain information.
For example, you might include a confidentiality clause in your Employment Contracts so that employees are aware of what they can and cannot discuss outside of work.
Confidentiality agreements can protect your business's internal systems and data. For instance, if an employee leaves the company to work with a competitor, they cannot take your current client list with them.
You could also restrict ex-employees from disclosing certain information by including a Non-Compete Clause in their Employment Contracts, preventing them from working with competitors and disclosing important business information or trade secrets.
Non-Disclosure Agreements
Non-Disclosure Agreements (NDAs) are legally binding agreements that require signatories to maintain a certain level of secrecy.
NDAs are often signed before allowing access to potentially sensitive aspects of your business, such as before a potential investor views a business plan or an IT specialist installs software on the company's systems.
An NDA can be useful in securing information when exposing potentially vulnerable parts of your business to someone.
Key Takeaways
Protecting customer data is essential for all businesses to comply with the law, protect their customers, and safeguard their business. To summarise:
- Customer data protection is about preventing unauthorised access to your customers' private information.
- The Privacy Act 2020 and the IPPs largely regulate this area in New Zealand.
- To protect customer data, assess your risks and take active measures to minimise them.
- Establishing a strong cyber security system is crucial.
- You may be legally required to have a privacy policy.
- Consider implementing a cyber security policy in your workplace.
- Legal documents, such as NDAs, can also help protect your data.
If you would like a consultation on protecting customer data, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Sapna GoundanMarketing Coordinator
