This post is aimed at helping businesses navigate two significant NZ privacy reforms that come into force on 1 December 2020:

  1. notifiable data breaches; and
  2. permitted international data transfers.

Other key reforms not covered here (new criminal offences, binding access decisions and compliance notices) are summarised in this article from the Privacy Commissioner:

Notifiable Data Breaches

The purpose of this reform is to increase the transparency and accountability of organisations that handle personal data. Organisations will now need to:

  • make individuals aware when their data is caught up in a data breach and serious harm is likely to result; and
  • also notify the Privacy Commissioner – who will have oversight to ensure the breach is contained and measures are put in place to prevent re-occurrence.

Overseas privacy regulators (in countries with mandatory data breach notices) consistently report that most notifiable data breaches occur as a result of either:

  • malicious or criminal breaches – incidents that result from stolen usernames and passwords, usually involving someone being phished or otherwise tricked into handing over login details; and
  • human error – incidents that result from sending personal data to the wrong person.

The key lesson being that you can significantly reduce risks by addressing the human factor. These reforms should prompt you to:

  • promote staff awareness about secure data handling practices;
  • make sure staff know who is responsible for privacy in your organisation, and to contact that person immediately if they know of or suspect a data breach has occurred; and
  • look into the technological solutions available to you: multi-factor authentication, strong security on hardware, system requirements that force users to choose a strong password that must be changed regularly, send-delays on emails, and restricting staff access to only the data they need for their work.

International Data Transfers

The purpose of this reform is to give individuals confidence that their data will only be transferred overseas where there are sufficient privacy protections in place.

The most straight-forward way to comply with the new requirement will be for your organisation to enter into a contract with each overseas recipients of data – that contract will need to contain privacy protections that are comparable to the protections in NZ privacy laws.

The Privacy Commissioner is developing (soon to be released) model contract clauses for organisations to use for this purpose. NZ businesses that engage with EU businesses or customers will be familiar with these types of clauses because model clauses developed by the European Commission are a part of the European data protection framework.

In preparation for the implementation of the NZ privacy reforms, it would be advisable to map out the overseas recipients of the personal data that your organisation handles.

This will be relevant to many NZ businesses, including for example:

  1. NZ resellers/agents who are obliged to transfer customer information they collect to overseas software providers/principals; and
  2. NZ businesses that use overseas cloud hosting services (e.g., AWS) or CRMs that host personal data of customers in other countries. In these situations, we would expect such cloud hosting and CRM providers to start including the model contract clauses into their standard Ts&Cs for NZ clients.


Phil Bain

Phil Bain

P +64 4 550 5315
M +64 27 919 4339
L View Phil’s LinkedIn profile here


Judith Harper

Judith Harper

P +64 21 310 361
L View Judith’s LinkedIn profile here

Murray Whyte

Murray Whyte

P +64 27 531 3730
L View Murray’s LinkedIn profile here

Bruno Bordignon

Bruno Bordignon

P +64 4 280 6260
M +64 21 277 6660
L View Bruno’s LinkedIn profile here