David Rose

18 December 2020

A quick guide to the New Zealand Privacy Act 2020 for DBAs

December 1 saw the introduction in New Zealand of the Privacy Act 2020 which not only brings increased protection for individuals but also has some new implications for businesses, including increased fines for non-compliance and the reporting of serious privacy breaches.

However, the changes and impact may be less than organizations fear because the act is aligned to international standards, like the GDPR in the EU, along with developments in technology so that New Zealand keeps pace with global privacy requirements.

One of the more important aspects for businesses is to ensure they secure the sensitive data they hold and, importantly, have remediation plans in place should there be a breach. So what does this mean for you, the DBA?

Why DBAs should care about this

When it comes to securing sensitive data and remediation plans, one of the biggest issues is understanding where your sensitive data is and the risk associated with it. For DBAs, knowing what data sits in each database, and classifying it, is key to long term successful compliance.

This can be a daunting task, especially without a deep understanding of the regulatory and compliance needs of the organization you work for, particularly around the correct tagging of data. However, when looking to make changes to ensure compliance with the Privacy Act 2020, learnings can be taken from the GDPR. Understanding how organizations in and beyond the EU have approached and successfully complied with the 2018 regulation provides a shortcut to successful Privacy Act 2020 compliance.

A technology approach to success

A technology solution is the preferred route for compliance and is referenced within the Privacy Act 2020. This aligns closely with the GDPR and, on numerous occasions where organizations have failed to comply with the regulation, the EU’s Information Commissioner’s Office has publicly stated non-compliance is not acceptable when technology solutions are available.

Those solutions give DBAs like you a distinct advantage in being able to accelerate time to compliance, ensure new data entering your database estate is classified and handled correctly, and demonstrate the ability to remain compliant in the long term.

It’s no secret that Redgate provides such a solution. SQL Data Catalog helps our customers find, identify and classify sensitive data collected by their organization. Data Masker for SQL and Oracle enables our customers to replace personal data with realistic but fake data, allowing developers to work with databases without having access to or exposing sensitive information.

After classifying his organization’s entire data estate in a matter of weeks (that’s quick), one customer told us that he simply couldn’t have done it without SQL Data Catalog. Chris Yates, Vice President and Director of Data and Architecture at Republic Bank in the US, went further. In his blog post about cataloging and masking data at the bank, he writes:

Going back to the third party auditor who first mentioned Redgate tools, everyone now knows right across the business that when our internal processes are audited in future, we’ll have everything that’s needed to demonstrate how we protect data before the auditors even walk through the door.

Making integration part of the approach

To make the process even easier for DBAs, Data Catalog and Data Masker are integrated, vastly reducing the time it takes customers to protect their data estate. These features include:

• Foundational tags: Data Catalog ships with a set of default tags that provide you with a starting point and a foundation from which to classify your estate.
• Default masking sets: Tags in Data Catalog map directly to pre-made masking sets in Data Masker, so that any data classified using the Data Catalog tags can be masked immediately with no extra effort.
• Customizable integration: If the default tags and masking sets don’t cover every scenario, you can easily add your own tags and map them to your own masking sets.
• GUI integration: All these features are accessible via the Graphical User Interface, making it simpler to use.

It’s features like these that are making a big difference, encouraging more organizations to invest in data protection, and empowering DBA’s to feel supported in protecting sensitive data in their database estates.

The time to act is now

The Privacy Act 2020 has moved classifying and protecting data from the wish list to the must-do list for any organization which handles the personal information of individuals resident in New Zealand – whether the organization is in New Zealand or not.

While you may not have the resources or knowledge to get started, our experience and insights in helping customers comply with the GDPR in the EU and other regulations like the CCPA and HIPAA in the US provides a short cut. Quite simply, we can help you reduce the time and effort required to classify and mask data, and ensure compliance with the Privacy Act 2020.

If you’d like to speak with our experienced DBAs to help you understand more, contact us and we can arrange a 1-2-1 meeting to accelerate your journey. Alternatively, tune into this Privacy Act 2020 panel discussion to discover the lessons we learned from the leading DBAs behind GDPR compliance.