What impact does the Privacy Act have for businesses in New Zealand?
The Privacy Act 2020 applies to every business in New Zealand, no matter how small.
If you collect or store personal information about customers, staff, or suppliers, you have responsibilities under the law.
For most businesses, compliance starts with a few practical steps:
● Know what personal information you collect.
● Understand why you collect it.
● Make sure it's stored securely.
● Limit who can access it.
● Only keep it for as long as necessary.
● Appoint a Privacy Officer.
In my experience working with organisations, the biggest privacy risks usually come from everyday tools such as spreadsheets, marketing databases, and staff using AI tools without clear guidance.
Once you understand where your information lives and how it flows through your organisation, privacy compliance becomes much easier to manage.
Why the Privacy Act matters for every New Zealand business
Many businesses assume privacy law mainly affects large organisations or government agencies.
In reality, the Privacy Act 2020 applies to any organisation that handles personal information, regardless of size.
If your business collects information such as:
● names
● phone numbers
● email addresses
● employment records
● customer history
● marketing database details
then the Privacy Act already applies to you.
In practice, this means your business needs to follow the Privacy Principles, which govern how personal information is collected, used, stored, and shared.
People are also becoming much more aware of their privacy rights.
Customers and staff increasingly expect organisations to handle their information responsibly.
When businesses can demonstrate that they take privacy seriously, it builds confidence and trust.
What personal information businesses can legally collect
The Privacy Act doesn't stop businesses from collecting personal information. What it does require is that you collect information for a clear and legitimate purpose.
In simple terms, organisations should only collect information that's necessary for their business activities.
For example, a business may reasonably collect:
● contact details to provide services.
● payment details for invoicing.
● delivery addresses.
● employee information for payroll and employment records.
● customer preferences for marketing communications.
However, the Act requires organisations to be transparent about why information is collected and how it'll be used.
Many organisations assume if information is useful, they can collect it. In reality, the question should always be:
Do we actually need this information to do our job?
If the answer isn't clear, it's often a sign that processes need reviewing.
What businesses must do to protect the information they hold
Once personal information has been collected, organisations are responsible for protecting it from loss, misuse, or unauthorised access.
For most businesses, the biggest risks usually aren't sophisticated cyber attacks.
Instead, they tend to come from everyday practices such as:
● customer or staff information stored in unsecured spreadsheets.
● shared folders that too many people can access.
● email attachments containing sensitive information.
● outdated records kept indefinitely.
● documents shared internally or externally without clear controls.
The Privacy Act requires organisations to take reasonable steps to protect personal information.
In practice, this usually means putting some basic protections in place, such as:
● secure digital storage systems.
● clear access permissions.
● safe document sharing practices.
● processes for securely deleting old data.
● staff awareness of privacy responsibilities.
Good privacy practice isn't just about security technology. It's also about making sure staff understand how information should be handled.
The biggest privacy risks I see in New Zealand businesses
In my experience working with organisations, the most common privacy risks aren't complex or technical. They're usually the result of everyday habits that have developed over time.
Marketing databases growing without clear controls
Many organisations collect customer data for newsletters, promotions, or events.
Over time these databases can grow large, and it becomes unclear:
● where the information came from.
● whether people consented to marketing.
● who can access the data.
● how it's being used.
Without clear management, marketing lists can quickly become a privacy risk.
Staff and customer information stored in spreadsheets
Spreadsheets are one of the most common tools used by businesses. While they're useful, they often contain sensitive personal information and are frequently shared or copied between staff.
Without proper access controls, that information can easily end up in places it shouldn't.
Staff using generative AI tools
Another risk I increasingly see is staff pasting information into AI tools such as ChatGPT without understanding the privacy implications.
If personal information is entered into external AI tools without proper safeguards, organisations may lose control of how that information is used or stored.
Responsible AI governance is quickly becoming an important part of modern privacy management.
Holding on to information for too long
Many businesses keep information indefinitely because it feels safer not to delete it.
In reality, keeping unnecessary information increases privacy risk.
The Privacy Act expects organisations to retain personal information only for as long as it's needed.
Why every organisation must appoint a Privacy Officer
One requirement that often surprises small business owners is that every organisation must appoint a Privacy Officer.
The Privacy Officer doesn't need to be a full-time role, and in many small businesses it becomes part of someone's existing responsibilities.
Their role usually includes:
● overseeing privacy practices.
● responding to privacy questions or concerns.
● managing privacy breaches.
● ensuring policies and procedures are followed.
● acting as a point of contact with the Privacy Commissioner if needed.
Having a clearly identified Privacy Officer helps make sure privacy responsibilities don't fall through the cracks.
What privacy documentation businesses should have in place
Privacy compliance doesn't mean creating large amounts of paperwork.
However, there are a few key documents that help organisations demonstrate they're managing personal information responsibly.
These often include:
● a privacy policy explaining how personal information is handled.
● data mapping showing what information is collected and where it's stored.
● data retention guidelines outlining how long information is kept.
● internal privacy procedures for staff.
● AI use guidelines, particularly if generative AI tools are used in the workplace.
Many organisations assume privacy compliance requires complex legal frameworks.
In reality, starting with a clear understanding of your information and how it flows through your organisation makes everything else easier.
A practical starting point: understanding your data
One of the most valuable exercises any organisation can do is data mapping.
This simply means identifying:
● what personal information you collect
● why you collect it
● where it's stored
● who has access to it
● how long you keep it
● who it's shared with
Once you understand this, privacy risks become much easier to identify and manage.
In many organisations, this process reveals information stored in unexpected places or accessed by more people than intended.
If you're unsure where to begin, this is often the best place to start.
If you'd like help mapping your organisation's data and understanding your Privacy Act responsibilities, feel free to get in touch.
Privacy compliance is about trust as much as law
Privacy compliance is often seen as a legal obligation, but it also plays an important role in building trust.
Customers, clients, and staff want to know that the organisations they work with take care of their personal information.
When organisations take practical steps to understand and manage their data, they strengthen both their compliance and their reputation.
Privacy doesn't have to be overwhelming. Starting with the basics and improving over time can make a significant difference.
If your organisation would like support reviewing its privacy practices or strengthening its privacy framework, you're welcome to book a consultation.
FAQs
Does the Privacy Act apply to every businesses in New Zealand?
Yes. The Privacy Act 2020 applies to all organisations that handle personal information, regardless of size. Even sole traders must follow the Privacy Principles when collecting or storing personal data.
What is considered personal information under the Privacy Act?
Personal information includes any information that identifies or could identify an individual. This may include names, contact details, employment records, customer history, or online identifiers.
Do small businesses need a Privacy Officer?
Yes. Every organisation subject to the Privacy Act must appoint a Privacy Officer. In small businesses this role is often taken on by an owner or manager.
Can businesses keep customer information forever?
No. The Privacy Act requires organisations to retain personal information only for as long as it's needed for the purpose it was collected.
Are AI tools like ChatGPT a privacy risk for businesses?
They can be if staff enter personal or sensitive information into them without proper safeguards. Organisations should have clear guidance for staff on how AI tools can be used safely and responsibly.
