Modern technology allows business to be conducted anywhere, at any time and at high speed. However, the trade off for increased business efficiency is an increased risk of privacy breaches.

Customer data should be protected, but sometimes something goes wrong. How should your business deal with a potential privacy breach?

We recommend a simple, common sense approach.

Proactive policies

Make sure all staff know who your Privacy Officer is, and who to contact if something goes wrong. Emphasize that “near misses” must be reported, as well as actual breaches of privacy.

A few simple employment policies will also help prevent privacy breaches. For example:

  • Clear security policies, including rules against divulging alarm codes, network passwords, or other security information.
  • Clear “bring your own device” and working from home policies.
  • A rule that employees must type out email addresses rather than use “auto fill” email addresses.

Initial and Immediate Response

Once you become aware of a possible privacy breach, contain the situation. For example, change passwords or shut down systems. If the breach involves theft, contact the police.


Clarify what information has been breached, how sensitive that information is, and how the information might be used by a third party.

Ask questions to determine the cause and extent of the breach.

Consider who is impacted by the breach, and what harm might arise from the breach. Take steps to prevent the problem from getting any bigger.


As soon as you have the relevant information, let those affected know that their information has been breached.

Be specific. You do not want to worry customers by only telling them “your personal information has been leaked”. Customers want to know what information has been leaked, how that has happened, and what you are doing to make it right. You should have this information to hand if you have conducted an initial investigation.

Depending on the situation, you might also need to contact the Privacy Commissioner, the Police, your insurer, a professional body, credit card companies, or other organisations.


After you have dealt with the crisis, take steps to ensure it won’t happen again. This may involve reviewing your systems and policies, or re-educating staff on how to protect information.