The New Zealand Privacy Act 2020: Steps to get your SAP system compliant

September 10, 2020
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

The New Zealand Privacy Act 2020: Steps to get your SAP system compliant

The New Zealand Privacy Act received a well-deserved overhaul to bring data privacy for individuals in line with global standards like the GDPR. Read on to learn how the changes to the Act impact you.

 

  1. D-Day for the New Zealand Privacy Act 2020
  2. What is different?
  3. Who should comply?
  4. What can you do to comply with the Act?
  5. You don’t have to do it alone
  6. Disclaimer


D-Day for the New Zealand Privacy Act 2020

New Zealand’s original privacy legislation was passed in 1993. As a piece of legislation, it was well ahead of its time, detailing a number of privacy principles that guide organisations and other data collectors on the rights of the individual when it comes to their data privacy.

 

With GDPR leading the global push for improved data privacy for individuals, the Act was updated to give better control to individuals over how their data is used. The updates place several requirements on organisations that could make compliance challenging.

 

The commencement date for the Privacy Act 2020 is 1 December 2020, leaving organisations across New Zealand with precious little time to ensure that they are fully compliant.

A particular challenge is that of SAP systems where the degree of complexity can make a compliance effort feel overwhelming, especially if you don’t have the right data privacy tools.


What is different?

Notifiable privacy breaches

Privacy breaches now require notifications to be sent to the Office of the Privacy Commissioner and affected individuals. However, this is only required if the breach poses a significant risk for the individuals in question.

The challenge here is twofold. On the one hand, your organisation must have a very clear idea as to which fields in your SAP system are regarded as sensitive enough to warrant a breach notification. On the other, you need to have a well-developed breach detection and notification process designed and implemented.

Compliance notes

The Privacy Commissioner now has the ability to issue compliance notices. These notices allow the Commissioner to force organisations to do something or stop doing something for the purpose of compliance with the law.

 

Since these notices will come with a deadline, your organisation will have to be agile enough to respond within the time frame, otherwise you may face fines. For example, how quickly can you mask your sensitive SAP test data if that is required of you?

Enforceable access directions

The Privacy Commissioner will also be able to force organisations to give individuals access to their data. The reason for this change is to allow for faster resolution of complaints under Principle 6 of the Act.

Disclosing data within SAP is tricky. The interrelationships between the various data tables make it complicated to extract and report on personal data across entire systems.

Disclosing information overseas

Privacy principle 12 was added to the Act to regulate how personal information can be sent overseas. With the cloud driving technological advancements, the transfer of personal data to other jurisdictions had to be addressed. In essence, the principle requires the organisation to make sure that personal information can only be transferred overseas if the receiving party has similar legislative safeguards in place that the Act affords.

If this is not possible, the individuals will need to be informed before the transfer takes place, so that the individuals can provide authorisation.

 

This presents a potentially more complex challenge. At a starting point it affects the choices your organisation makes in terms of hosting or cloud services providers. For example, you won’t be able to transfer data to US cloud servers without authorisation by every individual on your database. There is currently no Federal law that gives the same protections as the Act does.

 

This makes any decisions regarding the overseas transfer of personal information particularly complex, especially if you are already hosting your data in a jurisdiction that doesn’t qualify. What will you be doing with your data to ensure that you don’t need to request authorisation?

Extraterritorial effect

The Privacy Act 2020 now clearly states that it has extraterritorial effect. Any business or organisation that has some form of activity within New Zealand, and that collects personal information, must comply regardless of where they are located.

 

If your organisation is active in New Zealand, you must comply.

New criminal offences

A number of new criminal offences are introduced by the new Privacy Act. Impersonating someone in order to gain access to personal information will now be a criminal offence. Also, it will be a criminal offence if a business or organisation destroys data, knowing that an access request is pending. These offences carry fines of up to $10,000.

 

For your organisation this means that a) you will need to have specific measures in place to confirm the identity of individuals who request personal information and b) you will need internal controls that disallow the deletion of data when a pending request is active.

Other changes

Some additional changes highlighted by the Office of the Privacy Commissioner includes clarification in Principle 1 that cements the concept of “data minimisation”, where business and organisations are not permitted to collect information they don’t specifically need.

 

New withholding grounds for access requests under Principle 6 has also been added.


Who should comply?

The Act refers to entities that must comply as “agencies.” In Section 3A of the Act, agencies are defined as organisations, business, or even individuals who collect personal information.


What can you do to comply with the Act?

If you have no data privacy program

If you have no data privacy program in place, you need to start one with some urgency. Here are a number of steps that you should consider:

The New Zealand Privacy Act 2020: Steps to get your SAP system compliant

If you have a program in place to address GDPR or similar

A fully developed program that aligns with GDPR (or similar) can assist as you may already have the necessary processes in place to be compliant with the Privacy Act 2020. The latter is less stringent in many ways than the GDPR, but don’t be lulled into a false sense of security. As technology advances, so will amendments to the Act.

However, it is still a worthwhile exercise to compare GDPR with the New Zealand Privacy Act 2020, to understand how any differences should be handled.


You don’t have to do it alone

We understand the complexity of implementing data privacy compliance in large organisations, especially when it comes to complex SAP systems. To understand your options, read our white paper on making compliance easier from an SAP perspective.

 

Making compliance with the New Zealand Privacy Act 2020 easier


Disclaimer

This blog is not intended as legal advice and should not be construed as such. Its purpose is to provide information for educational purposes only and makes no claims or guarantees with regards to efficacy, accuracy or full compliance with the law discussed herein.

 

Please consult with an appropriate legal advisor before implementing any part of a Privacy Act 2020 compliance project. EPI-USE Labs will not take any responsibility for misinterpretation or incorrect application of practical measures towards compliance resulting from the use of this information.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling General Data Protection Regulation Data Redact POPI Act POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager SAP data privacy and compliance Right to be forgotten Data privacy compliance Data privacy regulations GDPR readiness GDPR deadline Personal data SAP SAP security GRC for SAP SAP systems Access Risk management Access risk controls Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) SAP data privacy and security compliance COVID-19 Data Privacy suite Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data processor versus controller Data retention rules Documentation EPI-USE Labs’ solutions Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: