NZ Privacy Act 2020 Guide for New Companies: What Every Director Needs to Know
The NZ Privacy Act 2020 applies to every company that handles personal information. New company directors need to understand their obligations around collection, storage, and breach reporting from the day they incorporate.
Does the NZ Privacy Act Apply to My New Company?
Yes. The Privacy Act 2020 applies to any organisation that collects, uses, stores, or discloses personal information about identifiable individuals, including customers, staff, and suppliers. There is no minimum size threshold. Even a sole director with one employee is subject to the Act.
Key Privacy Act Obligations for New NZ Companies
- Collection: Only collect personal information you actually need for a specified purpose. Tell people why you are collecting it and how you will use it.
- Storage: Keep personal information secure. This includes customer emails, staff records, financial data, and health information. Use strong passwords, encryption where appropriate, and access controls.
- Access and correction: Individuals have the right to access the personal information you hold about them and to ask you to correct it.
- Retention: Do not keep personal information longer than necessary. Have a data retention policy.
- Breach reporting: Under the Privacy Act 2020, you must notify the Privacy Commissioner of a serious privacy breach as soon as practicable. You must also notify affected individuals.
Privacy Policy for New NZ Websites
If your new company has a website that collects user data (even just an email address via a contact form), you need a Privacy Policy. This should explain what data you collect, how you use it, who you share it with, and how people can access or correct their information.
When to Get a Privacy Lawyer or Consultant
If your business handles sensitive personal information (health records, financial information, children's data), or if you process large volumes of customer data, a privacy lawyer or consultant can help you set up compliant systems from the start. The cost of getting it wrong, including mandatory breach notification and reputational damage, is far greater than the cost of getting expert advice early.
Find an NZ Privacy Lawyer or Consultant via FreshFirms
FreshFirms connects newly-incorporated NZ companies with local professional services providers. If you need a privacy lawyer, compliance consultant, or IT security firm to help your new company meet its Privacy Act obligations, let us know and we will put you in touch.