Data Privacy is now a hot topic in
NZ.
As a law firm, you will be more aware of the legislation than us, but we have been astonished that not every firm seems to understand the ramifications for their own work product.
You will know what is driving our concern:
1. The GDPR (General Data Protection Regulation) which came into effect in Europe in May 2018. This introduced strict regulations on what private information is, how to get consent from users, how to deal with breaches, and when personal information must be deleted. The fines for not complying were large; €20 million or up to 4% of the annual worldwide turnover. Although it is a European regulation, it applies to any company that stores personal information for EU citizens so potentially impacts all companies world-wide.
2. Updates to the Australian Privacy Act, which makes data breach notification compulsory as of February 2018. This means that if an individual’s personal information is leaked and likely to result in serious harm the company is required by law to notify the individual(s). Again, the fines for not complying were increased to up to AU$2 million.
3. The New Zealand Privacy Act changes in 2020, introducing mandatory reporting requirements and tougher fines.
Updated privacy regulations aim primarily to give control to citizens of their personal data. It means that citizens are more aware of how their personal data will be stored, used and shared.
We recommend that a data privacy policy is created based on best practice and research performed across the industry. Staff should be trained on the privacy policy and it should be included in the staff induction process.
Does your practice have a data privacy policy?
How to create your own:
To create a data privacy policy the following areas and questions need to be answered:
- What data do we hold?
- We don’t tend to delete data – why do we hold it?
- When, if at all, should we purge it? Why?
- If someone asks us, what is our process on checking that they are who they say they are?
- How would we know if it were stolen or leaked? Who would we notify?
- What is our obligation to the clients and their staff? Is it different?
- Who do we notify?
You can use this generator to help create your own, but we recommend a more thorough approach
To get started, we recommend a Kinetics “FlightPlan” to explore these ideas, and many other aspects to help us make sure that your IT isn’t just running well, but the way you use your IT matches your business needs.