Reading time: 5 minutes

Whenever you start a new project within your business, you need to duly consider its potential privacy risks. Indeed, meeting your privacy obligations under New Zealand law is an ongoing process, and introducing new systems or procedures at your business can introduce new risks. A privacy risk refers to the risk that your project will fail to meet your customers’ (or employees’) reasonable expectations of privacy or unreasonably intrude into their personal affairs. This could include breaching the Privacy Act. A failure to identify and mitigate these risks could be a costly mistake, leading to financial, legal, and reputational consequences. Therefore, this article will go through four mistakes to avoid when managing project privacy risks.

1. Underestimating Privacy Risks and Their Consequences

As more of our day to day systems shift to online spaces, privacy is becoming more of an area of concern for your customers. Especially if you engage in eCommerce, customers will have certain expectations for how you handle their personal information, such as guaranteeing the security of their credit card details. Underestimating privacy risks and their consequences can be costly and break your customers’ trust if something goes wrong. There are also potential legal penalties if you did not act as securely as the privacy context requires.

These privacy expectations apply no matter your business structure, whether you are a consulting business that solely operates online or a small bakery. According to the law, every agency that deals with personal information in New Zealand has a responsibility to handle that information with due care.

For example, say that you run a beauty salon and someone comes in asking for one of your clients’ addresses to send them flowers. Perhaps seemingly harmless, providing this information is a breach of privacy, and that client could pursue legal action against you.

2. Conducting a PIA Too Late

A privacy impact assessment (PIA) is an analytical tool you can use to identify the privacy risks of a new project or change in an already existing system. You should try to incorporate this evaluation into the process of starting a new project to better forecast potential privacy risks. The contents of a PIA will vary according to the project but will generally include:

  • a description of your project in detail;
  • what personal information you need to collect and its purpose;
  • how you will use and securely store this information;
  • how your customers can access and correct their personal information;
  • who you will share any personal information with; and
  • details of personal information disposal methods.

You should also include a risk evaluation that identifies:

  • potential privacy risks;
  • the effects of these risks staying unchecked;
  • how you will mitigate any risks;
  • how this mitigation will reduce any negative privacy consequences; and
  • an action plan for this risk mitigation.

Conducting a privacy impact assessment should not be an offhand checklist you complete at the end of your project to see if you met your privacy obligations. You need to use it proactively to identify potential problems before they can occur and harm your customers’ privacy.

3. Failing to Manage Privacy Risks Throughout the Project

You need to update your privacy impact assessment when the needs of your project change as it develops. Unforeseen privacy problems may arise, and you need to remedy them as appropriate. Your privacy obligations are ongoing, so you need to maintain that same vigilance for privacy risks through your project.

For example, you may have started developing an app a year ago and completed a PIA when you started. However, in that time, privacy law in New Zealand has changed. You need to update your PIA to reflect the change in your privacy obligations that the law requires.

Follow through on any necessary privacy procedures you outlined in your PIA, and update it as time goes on. Indeed, failing to keep this document relevant throughout your project may lead to unaddressed problems with costly effects.

For instance, you may identify in your PIA that leaving devices with sensitive project information on them unattended is a privacy risk. Therefore, you need to follow through during the project and protect these devices.

4. Not Developing a Response Plan

As a part of your privacy impact assessment, you identify privacy risks and develop ways to mitigate them. However, you also need to plan for unexpected situations such as privacy breaches. You should develop an incident response plan for privacy risks out of your control, identifying the appropriate response for mitigating a breach’s consequences. Your plan should detail how you will:

  • identify and contain the problem;
  • assess and mitigate the problem’s effects;
  • notify any relevant parties, such as the Privacy Commission; and 
  • prevent similar breaches in the future.

Keep in mind how fast information can spread and what your team members need to put your response plan into place effectively. You also need to consider the sensitivity of any personal information your project uses.

Key Takeaways

Meeting your privacy obligations as a business is an ongoing process, which you should reflect on every time you start a new project. Therefore, you need to assess that project’s privacy risks and handle them accordingly. If you would like more information or help with your project’s privacy risks, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy risk?

A privacy risk is a broad term that can refer to a variety of risks. Generally, it can refer to the risk that a project will go against your customers’ expectations for privacy, such as breaching the Privacy Act.

What is a privacy impact assessment?

A privacy impact assessment is an analytical tool that you can complete to identify the privacy impacts of a new project or change in a business system. You can use it to highlight the privacy risks of a project and identify ways to mitigate those risks.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards