How the New Zealand Privacy Act 2020 Impacts MSPs

December 10, 2020

How the New Zealand Privacy Act 2020 Impacts MSPs

By Courtney Heinbach

On 1 December, New Zealand introduced its Privacy Act 2020 that replaced the previous Privacy Act 1993. The aim of the updated Act is to strengthen privacy protections of New Zealanders, which is done via a modernised framework reflective of modern challenges in privacy protection. In doing so, it promotes early intervention and risk management by organisations (and people) when handling personal information.

Ultimately, the Act will expose and penalise businesses that don’t do the right thing by New Zealanders’ privacy, similar to how the General Data Protection Regulation (GDPR) works in Europe or Notifiable Data Breaches works in Australia.

With this in mind, many businesses may turn to you as their managed service provider (MSP) to ask them to assist in implementing technical controls in order to help support their compliance. Here’s what you should know.

Privacy breaches need to be reported

If an organisation suffers a data breach that causes serious harm or is likely to do so, it must notify those affected as well as the Privacy Commissioner. It’s a fairly straightforward change, yet arguably the most important as it ensures accountability of data protection and encourages businesses to take all necessary steps to protect people’s information.

Businesses that suffer a notifiable data breach yet fail to notify the relevant parties will face a fine up to NZD10,000.


As part of the Act, the Privacy Commissioner will have more powers than before. Notices will be issued to businesses considered to have breached the new Act, requiring them to remedy the breach. Failure to do so could see the Commissioner taking enforcement proceedings in the Human Rights Review, which could again end up with a fine up to NZD10,000.

Storing information offshore

Many organisations store information overseas for various reasons. Under the new law, if an enterprise is storing its data overseas, it must ensure the personal information is being protected by comparable privacy standards to those seen in New Zealand.

What businesses should be doing

With the Act already in place, MSPs across the country should already be working closely with their customers to help ensure they’re prepared to address these changes. But as with all things relevant to enterprise technology, it’s important to regularly review and assess—and that’s one place where MSPs have a vital role to play, as businesses see them as their technology partner.

MSPs should ensure customers have adequate cybersecurity infrastructure that will thwart cyberattacks. These malicious attacks are inevitable, so it’s important to have the infrastructure in place to protect businesses and the data they hold.

In addition to the above, MSPs may be able to provide technical advice to help their customers develop a plan with respect to issues associated with a data breach, IT recovery, and operational recovery.

The New Zealand Privacy Act 2020 does ask businesses within New Zealand to evaluate the way they collect and store data as well as report on data breaches. Businesses often rely on MSPs to help provide them with technical advice on every aspect of their technology stack, so it’s important they support customers through this change by answering their customers’ questions as they work through this new privacy environment.

Relevant Articles

Subscribe to the Blog