Why AI data protection matters for New Zealand businesses
AI use is already happening inside most organisations, whether leadership has approved it or not. For New Zealand businesses, the biggest risk usually isn’t AI itself. It’s staff using it without clear rules, approved tools, or oversight. The Privacy Act 2020 still applies when AI is involved, and a few practical steps can reduce risk without shutting innovation down.
AI has moved from “something to think about later” to something people are already using at work.
That might be for drafting emails, summarising notes, rewriting documents, brainstorming ideas, or speeding up admin.
In some businesses, that use is visible and discussed. In others, it’s happening behind the scenes, through personal logins, free tools, browser extensions, or built-in AI features no one has properly reviewed yet.
That’s why AI data protection matters.
Not because every AI tool is automatically risky. And not because businesses need to panic and ban it all.
It matters because once people start feeding business, employee, or customer information into tools that haven’t been assessed properly, the organisation can lose sight of where data is going, how it’s being handled, and what new risks are being created.
AI use is already happening inside your organisation
A lot of business owners and leadership teams are still treating AI like an upcoming issue they’ll deal with when they have time.
But for many organisations, it’s already here.
If your staff have access to tools like ChatGPT, Copilot, Gemini, Claude, or AI features built into the software you already pay for, then some form of AI adoption has probably begun.
The real question is whether that use is visible, guided, and intentional, or whether it’s happening without anyone really knowing the scale of it.
That’s the starting point I want my clients to understand.
You don’t need to assume the worst. But you also should not assume AI isn’t being used just because you haven’t formally rolled it out.
The real risk is unmanaged AI use
In my view, the biggest problem for most New Zealand businesses is not AI itself. It’s unmanaged AI use.
That’s when people start using tools because they’re helpful, fast, and easy, but there are no clear boundaries around what tools are allowed, what information can be entered, or how outputs should be checked before they’re used.
That lack of visibility is where risk starts to build.
Not all at once. Often gradually.
A team member uses a free tool to tidy up a sensitive email.
Someone pastes notes from a customer meeting into a personal account to get a summary.
A manager uploads a draft document to save time.
Individually, those actions may feel minor.
Collectively, they can create real privacy, confidentiality, and governance issues.
What Shadow AI can look like in a business
Shadow AI is the term often used when staff use AI tools without formal approval, oversight, or guidance from the organisation.
That might look like:
using a personal AI login for work tasks.
copying client or employee information into a free tool.
installing an AI browser extension without IT review.
using built-in AI features in software that no one has properly assessed.
relying on AI-generated content or analysis without any checking.
Most of the time, this doesn’t come from bad intent. It comes from people trying to work faster, keep up, and make their day easier.
That’s part of what makes it tricky.
If businesses respond by pretending it’s not happening, or by banning it without offering a safer alternative, they often push the behaviour further underground.
The Privacy Act still applies when AI is involved
Using AI in your business doesn’t cancel out your obligations under the Privacy Act 2020.
If personal information is involved, the same privacy responsibilities still apply.
The Office of the Privacy Commissioner is clear on that point, and it also recommends using a Privacy Impact Assessment as a practical way to think through risks before wider adoption.
So even if a tool feels smart, quick, or low effort, the usual questions still matter:
Do we need to use personal information here at all?
Is the information being handled appropriately?
Who might be able to access it?
Could it be stored or disclosed outside New Zealand?
Are we comfortable with the level of security, control, and transparency?
AI doesn’t create a privacy-free zone. It simply creates a new context where your existing responsibilities need to be applied properly.
Free AI tools and enterprise AI tools are not the same
This is one of the biggest points of confusion I see.
A lot of organisations talk about “using AI” as if all tools are basically the same.
They’re not.
Consumer tools, free plans, and personal accounts can come with very different settings, controls, retention rules, and data handling terms compared with business-grade or enterprise versions.
I always advise my clients to look closely at privacy settings, understand how information is used, and choose business-grade paid options where possible because they typically offer better administrative control.
OpenAI also distinguishes between its consumer services and its business offerings. Its public guidance says consumer content may be used to improve services depending on settings, while business products such as ChatGPT Business, Enterprise, and the API are not used to improve model performance by default unless a customer opts in.
That distinction matters.
Because “yes, we use AI” is not a strategy.
A much better question is this: which tools are approved for work use, under what settings, for which jobs, and with what safeguards around business and personal information?
What staff should never enter into AI tools casually
One of the simplest ways to reduce risk is to be very clear about what should not be entered into AI tools, especially free or unapproved ones.
Treat typing, pasting, and uploading information into AI tools as a form of disclosure, and take extra care with high-risk or sensitive information.
For most organisations, that means staff should be extremely cautious with things like:
customer personal information
employee records
health or wellbeing information
financial details
commercially sensitive documents
confidential contracts
internal investigations
legal advice
passwords or access credentials
Even when you’re using an approved enterprise tool, there should still be internal rules around what is acceptable, what needs extra review, and what should stay out of AI entirely.
A paid tool can reduce risk. It doesn’t remove the need for judgement.
Why banning AI usually creates a different problem
I understand why some organisations want to ban AI completely. It can feel like the safest option when there’s uncertainty around privacy, accuracy, and data handling.
But in practice, blanket bans often create a different problem.
When staff can see obvious efficiency benefits and there is no approved pathway for using AI at work, some will find their own workaround.
That might mean personal accounts, free subscriptions, unapproved plug-ins, or copying information into tools that sit well outside the organisation’s control.
That’s why I think the better approach is usually not “stop all AI use”.
It’s “make safe use easier than unsafe use”.
Where to start if you’ve done nothing yet
The first step is usually getting clear on what’s already happening.
Which tools are people using?
What tasks are they using them for?
Are there AI features already turned on inside your current platforms?
Some organisations may already have AI capabilities inside tools like Microsoft 365 or Google Workspace, which can be a more practical place to start because they sit within systems you already manage.
From there, you can begin to make deliberate decisions instead of reactive ones.
How to start using AI more safely
For most businesses, a practical early approach looks something like this:
Start with visibility
Find out what tools are already in use and where people are most tempted to use AI in their day-to-day work.
Approve a small number of tools
Rather than leaving staff to choose whatever they like, decide which tools are acceptable and under what conditions. Browser extensions, apps, plug-ins, and connectors can create extra risk because of the access they may have to files, emails, and other systems.
Begin with lower-risk tasks
Early use cases should be easy to review and unlikely to cause harm if an output is imperfect, such as basic drafting, summarising non-sensitive material, or idea generation.
Set boundaries around data
Your team should know what can be used, what must be anonymised, what needs approval, and what should never be entered into a tool.
Require human review
AI can support a first draft or a first pass, but it should not replace human responsibility. Important outputs still need to be checked for accuracy, privacy issues, tone, context, and whether they’re actually fit for use.
Train staff in real-world use
A policy on its own is not enough. People need practical examples, clear expectations, and guidance that reflects the work they actually do.
What a practical AI use policy should cover
This is where businesses often overcomplicate things.
Your first AI use policy doesn’t need to be a massive, intimidating document full of jargon. It needs to be clear enough that people understand what’s expected of them.
A useful policy will usually cover:
which tools are approved for work use.
what information is not allowed to be entered.
when AI use is appropriate and when it isn’t.
what level of human review is required.
who is responsible for approval, oversight, and updates.
what staff should do if they are unsure.
If the policy is too vague, it won’t guide behaviour. If it’s too unrealistic, people won’t follow it.
The sweet spot is practical, readable, and grounded in how your team actually works.
Good AI governance supports innovation
This is the bit I think gets lost in the fear.
Good governance is not there to kill momentum. It’s there to make progress safer, clearer, and more sustainable.
MBIE’s Responsible AI Guidance for Businesses takes a practical approach and frames responsible AI as something businesses can support through good governance, accountability, data practices, and oversight rather than through panic or paralysis.
That matters because most businesses do not need a completely separate universe of systems just to begin using AI more responsibly. They usually need to adapt the governance habits they should already have, then apply them properly to a new technology.
When the right foundations are in place, AI becomes easier to use well.
People know which tools are approved. They understand the limits. They know what needs checking. Leadership has better visibility. And the organisation is in a much stronger position to innovate without creating unnecessary privacy and data protection risk.
You don’t need to figure this out on your own
If AI use is already creeping into your organisation, now is the time to deal with it
You need an approach that fits your organisation, your people, your systems, and the kind of information you’re responsible for protecting.
That might mean identifying Shadow AI, reviewing current tools, assessing privacy risk, putting an AI use policy in place, training staff, or working out which enterprise tools and settings are the safest fit for your business.
If that’s where you’re at, I can help you put the right foundations in place so your business can use AI more confidently without losing sight of privacy, trust, or control.
FAQs about AI data protection for New Zealand businesses
Does the Privacy Act apply when staff use AI tools at work?
Yes. If personal information is involved, the Privacy Act still applies. The Office of the Privacy Commissioner is clear that organisations cannot step outside their privacy obligations just because AI is involved.
What is Shadow AI?
Shadow AI is when staff use AI tools without formal approval, oversight, or guidance from the business. That can include personal accounts, free tools, unapproved extensions, or AI features already sitting inside workplace software.
Are free AI tools safe for business use?
Not always. Free and consumer tools can have very different settings and protections from business-grade or enterprise products. That is why businesses should assess tools properly rather than assuming all AI products handle data the same way.
What data should never be entered into AI tools?
As a rule, staff should avoid entering personal, confidential, or commercially sensitive information into unapproved tools. Treat information entered into AI tools as a disclosure and to be careful with high-risk information.
Where should a New Zealand business start with AI governance?
Start by finding out what is already happening. From there, assess risk, choose approved tools, define boundaries around data, require human review, and train staff. The Office of the Privacy Commissioner also recommends using a Privacy Impact Assessment to work through privacy risks before wider use.
