Here are 3 things that all start-ups, founders, and owners should think about in terms of data protection and privacy.
1. Confidentiality Agreements / NDAs
When parties come together for a common purpose, for example a collaboration or supply of goods / services, confidential information is likely to be exchanged in order to fulfil that purpose. Parties can put in place various arrangements to address how confidential information will be stored and used. The two most common ways for commercial parties to protect confidentiality are through: (i) a standalone confidentiality or non-disclosure agreement (NDA), or (ii) the service/supply contract between them containing confidentiality provisions.
To avoid a 'we said, they said' situation, it's best to record confidentiality obligations in a written agreement. The definition of 'confidential information 'is a key consideration; it should clearly state what is and isn't to be treated as confidential. It's also important to clearly set out the obligations of confidentiality (i.e. restrictions on disclosure) and permissible purposes/uses of the confidential information.
Even without a written agreement, New Zealand law protects against unauthorised use of information that is not publicly available, and which has been communicated in circumstances giving rise to an obligation of confidence and where the discloser has suffered harm. But making out a successful claim for breach of confidence is much harder when there is nothing written down.
Before engaging in open business conversations with external parties, take a moment to consider whether you need to put in place confidentiality terms and what those terms should look like.
2. Privacy Act 2020 – New Reporting Obligations
The new Privacy Act 2020 came into force at the end of last year (1 December 2020). With it, came several changes to the ways in which businesses and organisations must comply with the Act. One such change is the introduction of privacy breach notification obligations.
The Act now requires organisations and businesses to notify the Office of the Privacy Commissioner (OPC) and affected individuals of any privacy breach that has caused, or is likely to cause, serious harm. ‘Serious harm’ is measured by factors that include the sensitivity of the information, mitigation action taken, and the recipient (if known) of the information. The OPC website provides a helpful tool ‘Notify Us’, which involves a series of questions to help businesses and organisations determine whether a privacy breach meets the ‘serious harm’ standard.
Failure to report serious breaches (without reasonable excuse) is an offence with a fine of up to $10,000. A failure to notify may also amount to a breach of other laws (such as directors’ duties, fair trading and employment legislation), as well as contractual obligations. Where affected individuals have suffered harm and/or are not satisfied with how a privacy breach has been dealt with they can complain to the OPC who will usually attempt to resolve the issue through mediation or conciliation. In the event that a complaint can’t be settled, or there is a serious breach of the Privacy Act, the matter can be referred for adjudication by the Human Rights Review Tribunal, which has the power to award various remedies.
Businesses and organisations are encouraged to be adequately prepared to respond if a privacy breach occurs. This includes having a privacy breach response plan that enables you to swiftly contain the information, assess the risk and extent of exposure, and notify the Commissioner(if serious) and those affected. Lastly, prevention of a breach should be an ongoing consideration to ensure your business keeps up in an ever-changing technological environment.
3. General Data Protection Regulation (GDPR)
Hailed as the privacy gold standard, the GDPR has changed the EU’s legislative framework around how organisations collect, store and manage personal data.
The GDPR has extra-territorial effect, meaning it could apply to New Zealand businesses / organisations who:
- offer goods or services to people resident in the EU; or
- monitor the behaviour of people resident in the EU to the extent that behaviour takes place within the EU.
The GDPR applies to businesses / organisations that intentionally target individuals who are in the EU, but when goods or services are inadvertently or incidentally provided to a person in the EU, the related processing of personal data is unlikely to fall within the scope of the GDPR. So having a website accessible in the EU would not alone trigger GDPR obligations, but if a website provides for payment in Euros, shipping to EU member states and / or EU member state languages, it might be caught.
Breaching the GDPR can have significant financial consequences, so it is important for New Zealand businesses with a global or Internet presence to consider whether their activities trigger GDPR obligations, and, if they do, how to comply.
If you're a NZ start-up or founder needing more info on Privacy & Data Protection, book your free 30-minute session today.
Click here for more on the series including other topics of interest.
Author: Sarah Pearce