The Privacy Act 2020 has been in force for years, but many NZ businesses still don’t have the basics in place. Here’s a practical guide to your obligations.

If you run a business in New Zealand and you collect, store, or use information about people, customers, staff, suppliers, anyone, the Privacy Act 2020 applies to you. Not just to big corporates. Not just to tech companies. To you.

The good news: compliance doesn’t have to be complicated. Here’s what you actually need to know, and what you actually need to do.

First, a quick refresher on what changed

The Privacy Act 2020 replaced the 1993 version and brought New Zealand’s privacy law into the modern era. The big shifts were:

  • Mandatory breach reporting. If a privacy breach causes (or is likely to cause) serious harm, you must notify the Privacy Commissioner and the affected individuals. This is not optional.
  • New criminal offences. It’s now a criminal offence to mislead an agency to access someone else’s information, or to destroy information someone has requested access to.
  • Stronger compliance tools. The Privacy Commissioner has more teeth — including the power to issue compliance notices.
  • Extraterritorial reach. If your business is based overseas but does business in New Zealand, the Act can still apply.

The 13 Information Privacy Principles (IPPs) at the heart of the law carried over from 1993, but the new Act raises the stakes for ignoring them.

The 13 Information Privacy Principles — simplified

You don’t need to memorise the legislation. Here’s what the principles mean in plain language:

  1. Collect only what you need. Don’t gather personal information just because you can.
  2. Collect it directly from the person. Where possible, get information from the individual themselves.
  3. Tell people what you’re collecting and why. Be upfront at the point of collection.
  4. Don’t collect information by unfair means. No tricks, no deception.
  5. Keep it accurate and current. Stale or wrong data can cause real harm.
  6. Don’t keep it longer than necessary. Have a retention policy and stick to it.
  7. Keep it secure. Protect personal information from loss, misuse, or unauthorised access.
  8. Don’t use it for a different purpose than it was collected for. Unless the person consents or the law requires it.
  9. Don’t disclose it without good reason. Think carefully before sharing personal information with third parties.
  10. People have the right to ask what you hold about them. You must respond within 20 working days.
  11. People can ask you to correct their information. You must either fix it or note their objection.
  12. Identifiers. Don’t assign unique identifiers without a good reason, and don’t share them across agencies unnecessarily.
  13. Be careful with sensitive information. Health data, financial data, and similar categories deserve extra care.

What you must have in place

A Privacy Policy (that people can actually find)

You need a clear, accessible privacy policy that explains what personal information you collect, why you collect it, how you use it, and who you share it with. It doesn’t need to be long — it needs to be honest and readable. If it’s buried in the footer in 8pt font, it’s not serving anyone.

A Privacy Officer

Every business that collects personal information should have a designated privacy officer. In a small business, that’s probably you. The role involves being the go-to person for privacy questions, managing access requests, and leading the response if something goes wrong.

You don’t need to register this person anywhere — just decide who it is and make sure they know what they’re responsible for.

A process for access requests

When someone asks what information you hold about them — a Privacy Act request — you have 20 working days to respond. If you’ve never thought about how you’d handle that, now’s the time.

You need to be able to:

  • Locate the relevant information across your systems
  • Confirm the requestor’s identity
  • Provide the information (or explain why you can’t)

A breach response plan

Privacy breaches happen. A plan means you respond quickly and correctly instead of in a panic.

Your plan should cover how you’ll detect a breach, who decides whether it’s notifiable, and how you’ll notify the Privacy Commissioner and affected individuals when required. The notification to the Commissioner goes through their online tool at privacy.org.nz.

The threshold for mandatory reporting is whether the breach “is likely to cause serious harm.” When in doubt, notify.

A data retention policy

You shouldn’t be holding personal information indefinitely. Decide how long you need different categories of information, and have a process for securely deleting it when that time is up. This is one of the most commonly overlooked obligations — and one of the simplest to address.

Common mistakes NZ businesses make

“We’re too small to worry about this.” The Act applies to any person or organisation that collects personal information, regardless of size. There’s no small-business exemption.

“Our privacy policy is fine — we copied it from another website.” A generic policy that doesn’t reflect how your business actually operates gives you no protection and could actively mislead customers.

“We’ll deal with a breach if it happens.” Figuring out your breach response on the fly, while under pressure, almost always leads to delays, mistakes, and unnecessary harm. Plan ahead.

“We store everything, just in case.” Hoarding data you don’t need isn’t just bad practice — it increases your exposure. The more personal information you hold, the more there is to protect, and the bigger the impact if something goes wrong.

“Our IT provider handles security, so we’re covered.” Technical security is one piece of the puzzle. Privacy compliance is broader — it covers how you collect data, what you do with it, who has access, and how you respond when things go wrong. You can’t outsource accountability.

Where to start if you haven’t started yet

If your business isn’t privacy-compliant yet, don’t let perfection be the enemy of progress. Start here:

  1. Map your data. Write down what personal information you collect, where it’s stored, who can access it, and how long you keep it.
  2. Appoint a privacy officer. Even if it’s just you.
  3. Review your privacy policy. Does it accurately describe what you actually do?
  4. Create a simple breach response checklist. Know who decides, who notifies, and how.
  5. Set a data retention schedule. Pick a date each year to delete what you no longer need.

None of these steps require a lawyer or a consultant. They require a few hours and some honest thinking about your business.

Need to go deeper?

The Office of the Privacy Commissioner has practical guidance at privacy.org.nz, including templates, tools, and a useful self-assessment checklist.

If you’d like help working through what compliance looks like for your specific business, get in touch — we’re here to make this straightforward.

This post is general information only and does not constitute legal advice. For advice specific to your situation, consult a qualified privacy or legal professional.