"If something privacy-related hasn't happened to you, it's coming – so you should be prepared"
The Office of the Privacy Commissioner (OPC) recently released its report on New Zealand’s small businesses and their privacy approach. According to its research, most businesses do have a good understanding of privacy – however, this hasn’t necessarily translated into good day-to-day practices.
In its Small Business Privacy Awareness Survey, 84% of respondents were confident that they could recognise a privacy issue if they saw one – however, 36% didn’t have policies or procedures in place for a range of key events.
According to K3 Legal associate and privacy expert Evie Bello, small businesses generally have the major ransomware and phishing-style threats covered. However, they often overlook the more common accidental mistakes that can happen to anyone in a hurry.
“This might be emailing somebody the wrong information, which most of us have done or been on the receiving end of,” Bello told NZ Lawyer.
“Nine times out of ten you can recall that or ask the other person to delete it, and it’s all okay – but technically that is a breach, and it’s quite a common risk factor because it’s something you can easily do in a rush.”
The OPC report noted that certain sectors have higher risk levels than others, and Bello says these sectors need to be particularly stringent about how the manage privacy risks. These include the healthcare, services, finance and insurance sectors, as well as education and public administration.
“As an employee, breaches can arise in many contexts where you’re dealing with information,” Bello explains.
“People start looking at information just out of interest – even though they have no legitimate reason to actually be looking at it. In a small business context, time and resources are tight, and so doing that privacy risk training on a regular basis is something that can be overlooked, even though it’s probably one of the easiest things to train people on and mitigate from the outset.”
When it comes to preparation, Bello says small businesses need to start by pinning their response steps down. If you have a privacy breach, how do you contain it and who do you notify? If a client asks for personal information, how do you deal with that? Where do your obligations start, and where do they end?
This is often where lawyers can step in to point their clients in the right direction, and guide them towards the Privacy Commissioner’s range of training tools. Bello notes it’s also a good opportunity to simply catch up with a client, and to make sure you’re passing them the right information at the right time.
“A good time to think about privacy protections is when clients are dealing with new partners or suppliers,” Bello notes.
“Nine times out of ten, your counterpart is going to ask for some kind of privileged information. You need to know how your clients’ information is being dealt with on the other side.”
“Consumers themselves have a bit more of an appreciation for privacy now than say 15 years ago, and they want to understand how their data is being used,” she adds.
“We’ve seen small businesses respond early, but equally, we’ve seen them respond only when something’s happened. But if something privacy-related hasn’t happened to you, it’s coming – so you should be prepared.”