What to do after a data breach in New Zealand

Jude Dragh | June 30, 2025

A practical guide to understanding your obligations under the Privacy Act 2020, responding to data breaches, and protecting your business from legal and reputational risk when personal information is compromised.

Understanding your legal obligation

Under the Privacy Act 2020, every New Zealand business, no matter how small, has a legal obligation to notify both the Privacy Commissioner and affected individuals if a breach of privacy obligations is reasonably likely to cause harm.

What many business owners don’t realise is that even a simple misdirected email or misplaced file could be enough to trigger this duty. For small to medium-sized businesses, where formal processes may not always be in place, the risk of mishandling a breach is high and the consequences can be serious. That’s where early legal guidance can make all the difference.

What is a notifiable breach?

The Privacy Act defines a notifiable privacy breach as one that is reasonably likely to cause serious harm or has caused serious harm to the individual(s) involved. This kind of breach can arise from a range of everyday incidents whether deliberate or accidental, including:

  • Emails sent to the wrong recipient containing personal details
  • Customer records being accessed by unauthorised staff
  • Lost or stolen devices containing unencrypted personal data
  • Hacked accounts or unauthorised access to cloud storage
  • Accidental public sharing of sensitive files

These types of breaches are more common than many businesses expect, and even when accidental, they may still meet the notifiable threshold.

How do you know if a breach is notifiable?

Determining whether a breach is notifiable requires a careful, case-by-case assessment. Under section 113 of the Privacy Act 2020, several factors must be considered, including:

  •  The sensitivity of the information involved
  • The identity and intentions of the person who accessed or received the data
  • The likelihood of harm such as identity theft, financial loss, or reputational damage
  • The security safeguards in place at the time of the breach
  • The vulnerability of the affected individual(s)

You should thoroughly document your assessment, as the Privacy Commissioner may review it later, or it could be used in legal proceedings. A lawyer can help you work through the key considerations, apply them to your specific situation, and ensure your assessment is accurate, well-reasoned, and won’t leave your business legally exposed, especially in complex cases or where sensitive data is involved.

If in doubt, it is best to consult a lawyer early. This can help you determine whether the breach is notifiable and allow you to manage legal and reputational risks before they escalate.

What if the breach is notifiable?

If your business identifies a notifiable privacy breach, you must take two key steps:

Notify the Office of the Privacy Commissioner (OPC):

  • Complete the Notify Us form on the Office of the Privacy Commissioner’s website within 72 hours of becoming aware of the breach.
  • Include a clear summary of what happened, your assessment of the potential harm, and the steps your business has taken in response.

Notify the affected individuals:

  • Outline what happened
  • Advise them of any risks and what they can do to protect themselves
  • Explain what you are doing to address the issue and prevent future occurrences.

A poorly written notification can cause problems, especially if there’s a chance someone might later question your business’ procedure or seek compensation. Seeking legal advice before making your notification can help protect both your business and your reputation.

Take control of your privacy risk

The Privacy Act 2020 places a clear responsibility on businesses to respond to data breaches quickly, transparently, and carefully. The good news is you don’t have to navigate this alone.

When a privacy breach occurs, it’s often a high-pressure situation that requires swift and well-informed action. That’s why having a privacy breach response plan in place is so important. A well-prepared plan will guide your team through each step of the process, helping to minimise both legal risk, financial penalties and reputational damage.

An effective plan should set out:

  •  The key response steps —how to contain the breach, assess the risk, notify the Privacy Commissioner and affected individuals (if required), and review what went wrong
  • Clear roles and responsibilities — who within your business is responsible for each part of the response
  • A framework for determining whether the breach meets the notification threshold under the Privacy Act
  • When to seek legal advice — to ensure your assessment, communications, and notifications are accurate, compliant, and protect your legal position

Having this structure in place before a breach happens ensures your team can act decisively and appropriately. Whether you’re building your first breach response plan, assessing whether an incident is notifiable, or preparing communications to affected individuals, getting legal advice at the right time can reduce stress, cost, and long-term consequences.

< Older Post

Newer Post >

Loading author information...

Get In Touch

Read More Articles

Brown and white brick building with tower, under blue sky.

Explaining Grants of Administration

By Mikayla Sagar February 15, 2026
Probate vs. Letters of Administration
Wedding rings on divorce papers as someone signs; blue and white.

What is a contracting out agreement?

By Natalie Miller February 6, 2026
Most people think prenups are something celebrities sign before a whirlwind wedding. But in New Zealand, a contracting out agreement is far more common, far more practical and, for many couples, essential. Under the Property (Relationships) Act 1976 (“Act”), the guiding principle is that all relationship property should be shared equally when a de facto relationship, civil union, or marriage ends. There are certain exceptions – as always. The only way to avoid the presumed 50/50 sharing regime is to contract out of the Act. That is exactly what a contracting out agreement does. If the agreement meets the legal requirements, it allows couples to decide for themselves how their assets and liabilities will be divided if the relationship ends through separation or death. What happens if you don’t have one?  If you are in a qualifying relationship and don’t have a contracting out agreement in place, most of what you own or owe could be divided equally if you separate or if one partner dies. Think you are safe because the asset is in your sole name or was gifted to you? Think again. In certain circumstances these types of property could still be up for equal division. Why you should seriously consider one For many people, the primary motivation is protection. A contracting out agreement can ring fence specific assets so they remain your separate property, such as a home you purchased before the relationship or savings you built independently. It can also ensure you do not become responsible for your partner’s debt, such as a student loan or personal liabilities that you had no part in creating. Just as importantly, a contracting out agreement sets clear expectations for how newly acquired assets and debts are owned and managed during the relationship and what will happen to those if the relationship ends. By defining everything upfront, the agreement can prevent confusion, conflict and costly disputes later. When can you get a contracting out agreement? A contracting out agreement can be put in place at almost any stage. Some couples arrange one at the very beginning of a relationship. Others do it after buying a home together, having children or blending finances. It is also possible to enter into one at the end of a relationship. However, the safest and cleanest approach is to get one as early as possible, ideally before the relationship becomes a qualifying relationship or before either partner acquires rights under the Act.
Two pairs of hands clasped together, suggesting support and comfort.

Do I need a lawyer to write my Will?

By Kimberley Brown February 6, 2026
Writing your own Will or using a DIY Will Kit may seem like an easy and cost-effective option. However, while a homemade or online Will may appear to save money upfront, it will often cause major complications and costs in the long run. Learn why getting legal advice ensures your Will is valid, effective, and truly reflects your wishes.
Hand holding a notepad with

Common Mistakes in a Will that Delay Estate Administration

By Kimberley Brown February 5, 2026
Even a small error in your Will can cause significant delays and unnecessary expenses once it reaches the High Court for Probate.