Simple steps to build a solid foundation for privacy

Training, empowerment and leadership from the boardroom are vital in establishing an effective privacy culture.

type
Article
author
By Michael Webster, Privacy Commissioner
date
2 Apr 2025
read time
2 min to read
Simple steps to build a solid foundation for privacy

Building a solid privacy foundation takes considerable time and effort but there are some relatively simple steps that will go a long way towards improving an organisation’s privacy culture. 

Boardroom leadership is a must; if people know privacy is taken seriously at the top table, and you share that privacy is on the agenda, then that helps privacy be seen throughout the organisation as valuable.

This includes emphasising the business benefits of privacy and stressing it’s not just a compliance function, but a valuable tool in keeping customer trust, improving risk management and helping protect against malicious activity like cyberattacks and data hacks. 

Three relatively simple things directors can do to improve privacy practices are to empower your privacy officer or privacy teams, support privacy training, and check your organisation’s privacy breach plan.  

The Privacy Act requires all agencies to have at least one person who’s familiar with the agency’s privacy obligations and fulfils the role of a privacy officer.  Not only is this a legal requirement, but ensuring your privacy officer has the necessary tools to do their job effectively will help them support your organisation to improve privacy practices.

While dedicated privacy expertise is essential, it’s also important to upskill all staff about privacy, especially those responsible for handling personal information. 

Training plays a key role. Encourage leaders to make time for their people to do our free e-learning modules. There are other learning and professional development opportunities to explore too. Many places get their new staff to complete privacy modules, but unless that knowledge is tested again it risks being lost. Think about how privacy is embedded into ongoing training and learning practices.

Having good training and a high-functioning privacy team are great prevention measures. However, privacy breaches can happen to any organisation and preparing now will help you handle them, saving time and money, when they happen. 

A good privacy breach plan will enable you to respond quickly to a breach or incident, which can substantially decrease the impact on affected individuals, reduce the costs associated with dealing with a breach and reduce the reputational damage to your organisation. 

No system is infallible. Working on your privacy breach plan will help ensure you’re well placed to act should a privacy breach occur. Running drills and analysing what went wrong and why, can help you put steps in place to fix the issue and prevent it happening, or stop it happening again.

To help the Office of the Privacy Commissioner understand if basic privacy practices are in place at the organisations you are a director of, please complete this short survey. All answers are confidential. 

No matter the answer, good, bad or a mix (answers are anonymous), the responses will help us understand the level of privacy maturity in New Zealand both in general and at the boardroom level, which in turn can help us develop more resources and further education in addition to those we already have at privacy.org.nz