Privacy Act 2020 Compliance for New NZ Companies: What You Need to Do in Your First Year

The Privacy Act 2020 applies to virtually every NZ company from the moment it starts operating. Unlike regulatory obligations that phase in over time, privacy law attaches the moment you collect, use, or store personal information about any individual, including your clients, staff, and suppliers. New directors are often surprised to learn how broad these obligations are.

What Is the Privacy Act 2020?

The Privacy Act 2020 replaced the 1993 Act and introduced stronger protections, mandatory breach notification, and expanded enforcement powers for the Privacy Commissioner. It is based on 13 Information Privacy Principles (IPPs) that govern how organisations collect, store, use, and disclose personal information. The Act applies to any business that collects or holds personal information about individuals, regardless of company size.

Key Obligations for New NZ Companies

1. Appoint a Privacy Officer

Every agency must appoint a privacy officer under section 201 of the Act. The officer is responsible for dealing with requests under the Act, ensuring the company complies with the IPPs, and being the point of contact for the Privacy Commissioner if a complaint arises. In a small company, this is usually the director or an office manager.

2. Collect Only What You Need

IPP 1 says you should only collect personal information that is necessary for a lawful purpose connected to your business. Client names, emails, and addresses for invoicing are clearly necessary. Collecting date of birth, health information, or financial details requires a clear justification and stronger safeguards.

3. Tell People What You Are Collecting and Why

IPP 3 requires you to tell individuals what information you are collecting, why you are collecting it, who you plan to share it with, and whether it is required or voluntary. This is typically done via a privacy policy on your website and a brief notice at the point of collection, such as a client intake form or email footer.

4. Secure Personal Information

IPP 5 requires you to protect personal information from loss, misuse, or unauthorised access. For most small businesses, this means password-protected cloud accounting software, encrypted email for sensitive documents, a clear policy on who can access client files, and a documented process for disposing of old records securely.

5. Mandatory Breach Notification

One of the most significant changes in the 2020 Act is mandatory breach notification. If a privacy breach occurs that has caused, or is likely to cause, serious harm to any individual, you must notify both the Privacy Commissioner and the affected individuals as soon as reasonably practicable. Failure to notify when required can result in a fine of up to NZ$10,000.

Serious harm thresholds include: exposure of financial account details, health or disability information, identity theft risk, or information that could lead to discrimination, harassment, or physical harm.

6. Responding to Access Requests

Individuals have the right to request access to personal information you hold about them and to request corrections. You must respond within 20 working days. A refusal must cite a specific ground in the Act and inform the individual of their right to complain to the Privacy Commissioner.

Practical First Steps for New Companies

• Publish a privacy policy on your website covering what information you collect, why, and how you protect it.
• Designate a privacy officer and document who holds this role.
• Review your email marketing practices to ensure you comply with both the Privacy Act and the Unsolicited Electronic Messages Act 2007.
• Assess your cloud tools: Xero, Google Workspace, Microsoft 365, and CRM platforms all handle personal information on your behalf. Review their data processing terms.
• Create a breach response plan: know who to call, how to assess severity, and how to notify the Commissioner and affected individuals.

Getting Professional Help

Privacy compliance can be complex, particularly for companies in health, financial services, recruitment, or legal sectors that handle sensitive categories of personal information. A privacy consultant or lawyer specialising in data protection can audit your processes, draft a compliant privacy policy, and ensure your data handling meets the Act's requirements.

If you are a privacy consultant looking to reach newly registered NZ companies that need compliance support, FreshFirms surfaces them daily with director contact details.

Resources

• Privacy Commissioner: privacy.org.nz (free guidance, templates, complaint forms)
• NZ Companies Office: companiesoffice.govt.nz
• The Privacy Act 2020: legislation.govt.nz