The Privacy Act 2020, in plain English.
Unlike most of the frameworks on this site, the Privacy Act 2020 is not optional. It applies to almost every New Zealand business that holds personal information, and it is the framework most audits end up spending the most time on.
What the Privacy Act 2020 actually requires
The Act is built around 13 Information Privacy Principles covering how personal information is collected, stored, used, shared and disposed of. In practice, most mid-size organisations, startups and small businesses fall down on a handful of recurring points rather than the whole list: knowing where personal data actually sits across cloud storage and email, having a real answer for how long it is retained, and being able to act quickly if something goes wrong.
The notification requirement that catches people out
Since 2020, businesses must notify the Privacy Commissioner and affected individuals of any privacy breach likely to cause serious harm, as soon as practicable after becoming aware of it. The businesses that struggle here are almost always the ones without a plan already written down. Knowing who makes the call, what the notification actually says, and who it goes to, before an incident happens, is most of the battle.
Who enforces it
The Office of the Privacy Commissioner oversees the Act, investigates complaints, and can issue compliance notices. Serious or repeated non-compliance can end up before the Human Rights Review Tribunal. For most businesses though, the bigger practical risk is reputational: how a breach is handled in the first 48 hours tends to matter more to customers than the breach itself.
How this fits into an audit
Data protection and privacy is one of the six areas covered in every Cyber Security Audits NZ engagement. We map where personal information is actually held, not just where it is supposed to be, check access controls and retention practices, and confirm whether your organisation could meet the notification timeframe if a breach occurred. It becomes a prioritised, practical fix list rather than a compliance checklist.
Privacy Act 2020 FAQs
Does the Privacy Act 2020 apply to my business?+
Yes. The Privacy Act 2020 applies to almost every New Zealand organisation that holds personal information about staff, customers, or suppliers, regardless of size. There is no small business exemption. A sole trader with a customer database is covered in the same way as a large corporate.
What counts as a notifiable privacy breach?+
A breach is notifiable if it has caused, or is likely to cause, serious harm to the people affected. Examples include a stolen laptop with unencrypted customer records, an email sent to the wrong recipient containing sensitive data, or a ransomware attack that exposes personal information. Notifiable breaches must be reported to the Privacy Commissioner and to affected individuals as soon as practicable.
What happens if we don't comply?+
The Privacy Commissioner can investigate complaints, issue compliance notices, and in some cases matters proceed to the Human Rights Review Tribunal, which can award damages. Beyond the legal risk, most reputational damage from a breach comes from how it is handled afterwards, which is where having a tested response plan matters.
How does a cyber security audit help with Privacy Act compliance?+
An audit checks where personal information actually lives across your systems, who can access it, how long it is kept, and whether you could meet the notification timeframes if a breach occurred. It turns the Privacy Act's principles into a concrete list of what to fix, in order of risk.
Not sure where your data actually sits?
An audit maps it, checks it against the Privacy Act, and gives you a fixed-price plan to close the gaps.
Book an Audit