We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



Cyber Risk in Focus – NZ Privacy Act 2020


The long awaited 27-year legislation overhaul to New Zealand’s current Privacy Act 1993, has recently been passed and is set to come into effect on 1 December 2020. The new privacy framework intends to set the required standards and expectations on data handling fit for a digital economy and with these new changes, New Zealand businesses need to start preparing now. Engaging with the OPC, reviewing and testing incident response plans, as well as considering transferring some of your risk to a cyber-insurance policy, are just a few of the steps that can be taken to prepare for the new legislation.

Mandatory notifications will be applicable to any public or private entity that holds personal information, and will be required to notify individuals on breaches, regardless of the financial or reputational impact that may have on a business. This is just one of the key changes that has been made to the Privacy Act, along with increased power for the Privacy Commissioner and extra-territorial implications.

In the recent wake of COVID-19, cyber-attacks became notably more prevalent, as hackers were seeking to exploit the global disruption, along with the new vulnerabilities that were created by the increase in remote working. Ransomware also continues to have an impact on a large number of organisations by both encrypting systems and data, and threatening to sell content on the dark web.

In this article, the details of the new update to the Privacy Act 2020 are discussed, along with what the changes mean for businesses in New Zealand.