As we put 2020 behind us and look forward to 2021, we reflected in an interactive virtual discussion forum on the key IG learnings from the past 12 months and the insights and actions we now need to be taking to make the most of the opportunities and challenges on the road to recovery in 2021.
We’ve seen the different ways governments have responded to the COVID-19 pandemic and the results in managing the pandemic. Similarly, organisations have had to adapt to the changes and, in particular, to faster digital transformation. Robust governance of organisations and of information has never been so important. Increased cyber risks and the importance of access to real-time and accurate data for decision-making, both at the board level and throughout the organisation, are now critical issues.
Our expert panel included InfoGovANZ International Council member, Daimhin Warner, who is a Director of Simply Privacy, a NZ consultancy providing privacy advice, strategy and training to business and government, and NZ Country Leader for the International Association of Privacy Professionals (IAPP). He’s a privacy professional with over 15 years' privacy and related experience in both the public and private sector.
Daimhin worked with the Office of the NZ Privacy Commissioner for 7 years, ultimately managing the Commissioner's Auckland Investigations Team. Daimhin then moved to NZ’s largest life insurer, where he created and headed a Privacy Team and programme, before co-founding Simply Privacy in 2015.
The evolution in global privacy regulations will continue - since the EU’s GDPR, we witnessed the phenomenon of ‘GDPR-isation,’ the development of myriad privacy laws around the world intended to meet or exceed the high-water mark set by the GDPR. Examples include India’s upcoming Personal Data Protection Act, Brazil’s General Data Protection Law, and, of course, the UK’s GDPR (designed to mirror the EU’s GDPR post-Brexit). This explosion of privacy regulations is essential for the maintenance of a functioning global economy, fuelled by the sharing of personal information across borders.
- ANZ was no exception - the NZ Privacy Act 2020, which commenced in December 2020, moves NZ further along the regulatory spectrum, introducing mandatory privacy breach notifications, limitations on cross-border data transfers and extraterritorial effects, and providing the NZ Privacy Commissioner with increased enforcement powers. 2021 will be all about the bedding in of this new Act.
- We will see increased enforcement action from the Privacy Commissioner as he flexes his new regulatory muscles - importantly, we will also learn in 2021 if NZ has retained its EU Adequacy status. This coveted status means that organisations in the EU may transfer personal information to NZ organisations in compliance with the GDPR without having to put any other measures (such as Standard Contractual Clauses) in place. This is critical to NZ’s rapidly growing community of innovative start-ups and the software as a service (SaaS) products they develop for a global market.
And in Australia
- The Australian Privacy Act 1988 is under review, with lawmakers considering a host of major changes intended to bring the Australian law up to global standards. Possible amendments will include removing the somewhat unbelievable small business and employee exemptions, thereby broadening the reach of the law to cover most, if not all, organisations and individuals in Australia. The review will also reflect on the operation of the mandatory breach notification regime introduced in 2018 to ensure it is meeting its objectives. We can expect an update in the coming months, reflecting submissions received from public and private sector agencies across the country.
- In both Australia and NZ, we are also likely to see further developments in the areas of data portability (referred to this side of the world as the ‘consumer data right’), ethics in AI and algorithms, indigenous approaches to privacy (led by efforts to better understand and address Maori data sovereignty in NZ), and the regulation of big tech companies, such as Google and Facebook.
Actions for leaders:
- Organisations and the experts supporting them need to learn the new laws and ensure your processes and procedures comply.
You can read the insights from the rest of our expert panel in our InfoGovANZ Key Learnings from 2020 – Action and Insights for 2021 Report. The report was developed from a virtual forum discussing the impact of COVID-19 and IG implications for organisations on data, access to information, trust, transparency and accountability, cybersecurity, global privacy regulatory developments, eDiscovery, ethics and artificial intelligence.
You can also watch the recording of the 28 January 2021 webinar here.