← Back to Articles
Security
Compliance

What the NZ Privacy Act 2020 Means for Your Business Software and Data

The NZ Privacy Act 2020 has real teeth — and most small business owners don't know what it requires from their software and data practices.

What the NZ Privacy Act 2020 Means for Your Business Software and Data
#NZ Privacy Act 2020#data privacy NZ#compliance#business software#data security

Key Takeaways

  • 1The NZ Privacy Act 2020 replaced the 1993 Act and significantly strengthened obligations around how businesses collect, store, and use personal information.
  • 2You must now notify the Privacy Commissioner of a serious privacy breach — within 72 hours in some cases — and notify affected individuals if there's a risk of harm.
  • 3The software your business uses (including third-party tools) falls under your obligations as the data controller.
  • 4Privacy by design — building privacy protections in from the start — is far cheaper than retrofitting them after a breach.
  • 5Most small NZ businesses are not compliant, but the steps to get there are practical and don't require a legal team.

The Privacy Act 2020 came into force on 1 December 2020, replacing New Zealand's 1993 privacy law. The old Act was drafted before most businesses even had websites. The new one was designed for a world where personal data flows through dozens of software systems, crosses international borders instantly, and can be breached at scale.

Most small NZ business owners know the Act exists. Far fewer understand what it actually requires of them — particularly when it comes to the software they use and build. This article is a plain-English walkthrough of what the Act means for your business's data practices, what's changed, and what you should actually be doing about it.

What Changed in 2020

The 2020 Act kept the same 13 Information Privacy Principles (IPPs) as the 1993 version, but significantly strengthened the obligations around them. The most important changes for typical businesses:

Mandatory breach notification

This is the big one. Under the 1993 Act, there was no requirement to tell anyone if you had a data breach. Under the 2020 Act, you must notify the Privacy Commissioner of any notifiable privacy breach — one that has caused or is likely to cause serious harm — and you must also notify the affected individuals.

The notification to the Commissioner must happen "as soon as practicable" after you become aware of the breach. In practice, this is generally interpreted as within 72 hours for serious breaches, though the Act doesn't specify an exact timeframe. Sitting on a breach, hoping nobody notices, is no longer an option.

Stronger enforcement powers

The Privacy Commissioner now has the power to issue compliance notices — formal orders requiring you to do or stop doing something. Failing to comply with a compliance notice is a criminal offence. The Commissioner can also take cases directly to the Human Rights Review Tribunal.

Offshore data transfer restrictions

If you're sending personal information about New Zealanders to another country — which happens every time you use a cloud service based overseas — you need to take reasonable steps to ensure that information will be protected. This applies to software-as-a-service tools your business uses.

Privacy by design is now an expectation

The Act doesn't mandate privacy by design by name, but the Commissioner has made clear it's the expected approach. If your software collects more data than necessary, keeps it longer than necessary, or doesn't have appropriate protections, that's a compliance risk.

The 13 Information Privacy Principles: What They Mean in Practice

The IPPs are the core of the Act. Here's a practical summary of the ones most relevant to small businesses and their software:

IPP 1: Only collect what you need

If your intake form asks for someone's date of birth "just in case," or your CRM stores information you never actually use, that's a compliance risk. Only collect personal information you have a genuine use for. This applies to forms, software, and databases.

IPP 3: Tell people what you're collecting and why

At the point of collection, people need to know: what you're collecting, why, what you'll do with it, and who you might share it with. A privacy policy on your website helps, but the notice needs to be at the point of collection — in the form itself, not hidden in a footer link.

IPP 4: Don't collect information by unlawful means

This sounds obvious, but it includes scraping data without consent, collecting information under a false pretext, and some forms of tracking that users haven't agreed to.

IPP 5: Keep it secure

You must take reasonable security safeguards against loss, access, modification, and disclosure. "Reasonable" depends on the sensitivity of the data and the size of your business. Customer financial information and health records need stronger protections than a marketing email list. For software, this means: encryption at rest and in transit, access controls, and regular backups.

IPP 6 and 7: People can access and correct their own information

If someone asks what information you hold about them, you must provide it. If they say it's wrong, you must either correct it or note their objection. Your software needs to make this possible — not just in theory, but in practice. If you can't extract all information about a specific person from your systems, that's a compliance gap.

IPP 10 and 11: Don't use data for something different

If someone gave you their email to receive invoices, you shouldn't be using it for marketing newsletters without their consent. The purpose for which information was collected limits how you can use it. This matters if you're doing email marketing, data analysis, or sharing data with third parties.

What This Means for Your Software

The Act applies to how you handle personal information — and software is how most businesses handle information today. Here's what to audit:

Your customer database

Whether it's a CRM, a spreadsheet, or a custom system — where is your customer data stored? Is it encrypted? Who has access? Do you know how to find all information about a specific person if they ask? Can you delete their data if requested? If you can't answer these questions confidently, that's worth fixing.

Third-party tools you use

When you use Xero, Mailchimp, a booking system, or any cloud software that stores your customers' data, you're transferring personal information to that provider. You're responsible for ensuring they treat it appropriately. Check their privacy policies, where they store data (New Zealand, Australia, USA?), and whether they have proper security certifications.

Tools storing data in the USA are subject to US law — including government access provisions that don't exist in NZ. This doesn't mean you can't use US-based tools, but you need to have considered it and documented your reasoning.

Your website forms and tracking

Contact forms, booking forms, newsletter signups — are users told what their information will be used for? Are you using cookies or analytics tools that track visitors? Are you collecting more than you need?

Google Analytics, for example, sends data to Google servers in the USA. If you have it installed without disclosing this, that's a potential compliance issue. Privacy-focused alternatives like Plausible (which stores data in Europe) or Fathom (Canadian-based) are worth considering.

Custom software and portals

If you've had custom software built, or you're building it, privacy compliance should be in the brief. Specifically:

  • Role-based access controls (not everyone can see everything)
  • Audit logging (who accessed what, when)
  • Data encryption (at rest and in transit)
  • Data retention policies (what gets deleted and when)
  • The ability to export or delete all data about a specific person

Retrofitting these into existing software is expensive and painful. If you're starting fresh, build them in from the beginning.

What a Privacy Breach Response Looks Like

If you have a privacy breach, here's the practical sequence:

  1. Contain it — stop the breach from continuing. Revoke access, take the system offline if necessary, change credentials.
  2. Assess it — what data was accessed? How many people are affected? Is there a risk of serious harm (financial loss, physical harm, identity theft, significant emotional distress)?
  3. Notify the Commissioner — if it's a notifiable breach (risk of serious harm), report it via the Privacy Commissioner's online system. Do this promptly.
  4. Notify affected individuals — tell them what happened, what information was involved, and what you're doing about it. Be honest. People handle "we had a breach and here's what we're doing" better than finding out weeks later that you knew and said nothing.
  5. Document everything — the breach, your response, and the steps you've taken to prevent it happening again.

Practical Steps for NZ Small Businesses

You don't need a legal team to make meaningful progress on privacy compliance. Here's a practical starting list:

  • Audit what personal data you hold. Make a list of every system that stores customer or employee information. Know where it is, who can access it, and where it's backed up.
  • Update your privacy policy. Make it accurate and specific — not a generic template. The Privacy Commissioner's website has a free privacy statement generator for small businesses.
  • Add collection notices to your forms. Every form that collects personal information should tell people what it's for.
  • Review third-party tools. Do you actually need all the tools you're using? Can you consolidate? Check where each one stores data.
  • Create a breach response plan. Even one page is better than nothing. Who do you call? What's the sequence? Where is the Privacy Commissioner notification form?
  • Check your software. Can you find and export all data about a specific person? Can you delete it? Is access appropriately restricted?

The Privacy Commissioner's website (privacy.org.nz) has genuinely useful free resources for small businesses, including checklists and guidance documents. It's worth spending an hour there.

If you have custom software that handles sensitive customer data — health records, financial information, legal documents — it's worth a specific review against the IPPs. That's something I can help with. Getting it right upfront is dramatically cheaper than fixing a breach after the fact.

Quick Questions

Does the NZ Privacy Act 2020 apply to small businesses?

Yes. There's no size threshold — if you collect, store, or use personal information about individuals, the Act applies to you. That means any business with a customer database, an employee, or a contact form on their website is covered. The Privacy Commissioner can investigate complaints against businesses of any size.

What counts as a 'privacy breach' under the 2020 Act?

A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information. This includes things like sending an email to the wrong person, a data leak from your software, someone accessing your system without authorisation, or losing a device with unencrypted customer data. Not every breach requires notification — only those that pose a risk of serious harm to affected individuals.

What's the penalty for breaching the Privacy Act?

The 2020 Act introduced fines of up to NZD $10,000 for interfering with someone's privacy. More significant is the reputational damage and cost of remediation — breach investigations, client notification, legal fees, and the trust damage that follows. The Privacy Commissioner also has stronger powers to issue compliance notices and take cases to the Human Rights Review Tribunal.

Do I need to tell customers what data I'm collecting?

Yes. Under Information Privacy Principle 3, you must tell people — at or before the time of collection — what information you're collecting, why you're collecting it, who you might share it with, and that they have the right to access and correct it. This applies to forms, software onboarding, and customer databases. A clear privacy policy helps, but the notice needs to happen at point of collection, not buried in a policy they might never read.

Free Assessment

Discover Your Automation Potential

Take our 2-minute quiz to find out how much time and money you could save. Get personalised recommendations for your business.

Other Articles You May Like

Building for Resilience: A Comprehensive Guide to System Security and Data Integrity
Security

Building for Resilience: A Comprehensive Guide to System Security and Data Integrity

Build secure systems from the ground up with SOC 2 compliance, row level security, and direct API connections to protect your business data.
Is Your Bespoke Software Secure? Common Pitfalls and How to Fix Them
Security

Is Your Bespoke Software Secure? Common Pitfalls and How to Fix Them

Custom software can be incredibly secure — or shockingly vulnerable. Here are the most common security mistakes in bespoke business software, explained in plain English.
Vibe Coding vs Professional AI-Assisted Development: Why It Matters for Your Business
Custom Software

Vibe Coding vs Professional AI-Assisted Development: Why It Matters for Your Business

AI can make anyone look like a software developer. But there's a dangerous gap between software that looks production-ready and software that actually is. Here's what separates vibe coding from professional AI-assisted development.