The changing landscape of data privacy in NZ

The noise over the EU’s introduction of GDPR (General Data Protection Regulation) in April massively raised awareness of the fact that companies increasingly have to deal with complex data sets that they have to treat with enormous care and respect. Many European organisations were late to the party, not to mention many global players who latterly discovered how they were caught up in the regulatory changes.

This was of course compounded by revelations in The Guardian in March regarding Cambridge Analytica ‘stealing’ 87m Facebook customer records.  The shockwaves around this were significant with an enormous drop in measured consumer confidence in Facebook, as well as an initial sharp stockmarket drop.

An example of some of the consumer impact of the Cambridge Analytica revelations are evidenced by these example polls:

  • Fewer than half of Americans trust Facebook to obey U.S. privacy laws.
(Reuters/Ipsos poll)
  • 60 percent of Germans fear that Facebook 
and other social networks are having a negative impact on democracy. 
Bild am Sonntag (Germany’s largest-selling Sunday paper)
  • Trust in Facebook being committed to protecting personal information fell from 79% to 27% at news of the scandal and remained at 28% even after Zuckerberg’s testimony. (Ponemon Institute, April 2018)

With GDPR and Cambridge Analytica, it’s no surprise that privacy has become a hot topic for many consumers, and therefore there’s a real impact for business:

  • 76% of UK internet users aged 16-64 describe GDPR as being extremely or very important to them in relation to their digital lives (GlobalWebIndex, May 2018)
  • In the US, only 25% of consumers say they believe most companies handle sensitive personal data responsibly (PwC’s 2017 US Consumer Intelligence Series survey).
  • 69% of Australians believe that trust in the brand is most important when making a decision about sharing personal information (Deloitte Privacy Index, 2018, n.1000)

 

So what’s happening in New Zealand?

The Minister of Justice introduced a Bill amending the current Act in March 2018. It’s scheduled to be signed into law in July 2019.  The current draft Act was created in 2011; the Privacy Commissioner has submitted a substantial set of recommendations for improvement, recognising the massive change in the use of data since then, especially around the use of ‘big data’.

The Privacy Commissioner recently stated “I’m pleased the Government has moved so promptly to address the immediate need for stronger privacy protections and enforcement powers. Better privacy and data protection regulation is a growing trend in OECD countries like New Zealand.” (John Edwards, NZ Privacy Commissioner, March 2018).

These include the privacy risks of both de-identification and re-identification when consumer data is anonymized and subsequentially re-connected to identifying information; a right to request, correct and transfer personal information; right to erasure; fair use of personal information; algorithmic transparency meaning openness about the purpose, structure and underlying actions of algorithms used to manipulate data; mandatory breach notifications; and penalties for serious non compliance.

 

What should you know?

We recommend you should be building a data environment for the next generation, not for what’s here right now.  If you don’t, you will be doing it again soon.  And it’s an opportunity to take a leadership leap as a brand, especially in consumer services, and be consumer centric.  The research indicates consumers will thank you for it and rate your brand more highly.

Rather than wait to be legislated against, we should imagine the most stringent possible requirements and build to this:

  • Data portability – how easy we make it for you to extract your data
  • Data transparency – how you can see what we hold about you, and correct it
  • Granular opt in – how you can control what we do and don’t tell you about
  • Data policy which is easy to understand
  • Ensure we have consent for the data we have (through the lens of future laws)
  • Ensure all staff members understand the importance
  • Verify our data security – any breach will massively erode trust
  • Have an appointed privacy officer and manage data privacy proactively

 

Learn from those who have missed the mark

“It’s clear now that we didn’t do enough. We didn’t focus enough on preventing abuse. We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake.”

Mark Zuckerberg, April 2018