The current law dates back to 1993, long before commercial use of consumers’ personal data became commonplace.
Pressing issues with our outdated privacy law may finally get a kickstart on 23 September.
The current law dates back to 1993, long before commercial use of consumers’ personal data became commonplace.
The Law Commission recommended reforms to the Privacy Act in 2011. The Privacy Commissioner and the Justice Department, quoting “the Government’s stated intention to reform the Act”, have had the legislation under review ever since. But a draft Bill is nowhere in sight.
The Privacy Commissioner in February noted “significant developments internationally” were adding to the urgency of the need for reform. Among these are the European Union’s GDPR (General Data Protection Regulation), which comes into force on 25 May next year.
The Privacy Foundation, a not-for-profit privacy rights advocate, has been pushing for urgency. In July, it questioned political parties on their data privacy policies.
Labour, Green, and New Zealand First “gave a strong commitment to protecting personal information and respecting privacy", the Foundation said. Labour “commits to implementing most of the Law Commission proposals to strengthen consumer protections.”
National failed to acknowledge or respond to the Foundation’s letter. (Nor did ACT, Maori or United Future).
Organisations would do well to get started on the mammoth task of preparing their customer data systems and permissions for a more prescriptive regime
GDPR represents a major overhaul of the EU’s laws, and coming up to scratch will cost many companies who have dealings with EU residents a great deal of effort and expense. One key change is that customer consent for all data collection and use will need to be explicit; that is, companies will have to be able to demonstrate to regulators that each customer from whom they collect data has “ticked the box”.
In addition, the so-called “right to be forgotten” for which some consumer advocates have campaigned has been recognised in a more limited “right to erasure.” New “access” rights include the right of consumers to object to their data being used for marketing purposes, and the right not to be profiled.
Customer communications has become a multi-layered discipline that involves the whole business in a way that takes into consideration the way consumers research brands and share information and content.
The drafters of the EU’s GDPR had the social media giants in mind, and maximum penalties for breaches are consequently draconian – €20 million (NZ 33 million).
But the EU’s citizen-driven, regulated model contrasts with the more laissez-faire, market-forces approach of the US. An attempt at practical compromise, dubbed “Privacy Shield,” is a bone of contention.
Closer to home, Australia this year enacted the Data Notification Law, which comes into effect in February next year. This seeks to protect and provide notice to individuals at risk from a data breach.
Whatever the shape of the Government following the 23 September election, a major upgrade of data privacy rules is not far away, and organisations would do well to get started on the mammoth task of preparing their customer data systems and permissions for a more prescriptive regime.
At the very least, this will involve:
Identifying, as per GDPR, a “data controller” within the organisation;
Auditing and documenting what personal customer data you hold;
Identifying what approvals have been received from customers for use of their personal data
Identifying what consents, if any, customers have provided to receive marketing information; and
Ensuring you have procedures in place to detect and report personal data breaches.
Nelson Siva is the CEO of Solution Dynamics, and Auckland-based customer communications software and solutions company.
Send news tips and comments to divina_paredes@idg.co.nz
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.