A privacy breach can escalate fast — don’t wait until it’s too late
Contact us now to put the right protections and legal safeguards in place before a minor mistake becomes a major liability.
email Jude
+64 9 837 6886
What to do after a data breach in New Zealand
30 June, 2025 | Jude Dragh
A practical guide to understanding your obligations under the Privacy Act 2020, responding to data breaches, and protecting your business from legal and reputational risk when personal information is compromised.
Understanding your legal obligation
Under the Privacy Act 2020, every New Zealand business, no matter how small, has a legal obligation to notify both the Privacy Commissioner and affected individuals if a breach of privacy obligations is reasonably likely to cause harm.
What many business owners don’t realise is that even a simple misdirected email or misplaced file could be enough to trigger this duty. For small to medium-sized businesses, where formal processes may not always be in place, the risk of mishandling a breach is high and the consequences can be serious. That’s where early legal guidance can make all the difference.
What is a notifiable breach?
The Privacy Act defines a notifiable privacy breach as one that is reasonably likely to cause serious harm or has caused serious harm to the individual(s) involved. This kind of breach can arise from a range of everyday incidents whether deliberate or accidental, including:
- Emails sent to the wrong recipient containing personal details
- Customer records being accessed by unauthorised staff
- Lost or stolen devices containing unencrypted personal data
- Hacked accounts or unauthorised access to cloud storage
- Accidental public sharing of sensitive files
These types of breaches are more common than many businesses expect, and even when accidental, they may still meet the notifiable threshold.
How do you know if a breach is notifiable?
Determining whether a breach is notifiable requires a careful, case-by-case assessment. Under section 113 of the Privacy Act 2020, several factors must be considered, including:
- The sensitivity of the information involved
- The identity and intentions of the person who accessed or received the data
- The likelihood of harm such as identity theft, financial loss, or reputational damage
- The security safeguards in place at the time of the breach
- The vulnerability of the affected individual(s)
You should thoroughly document your assessment, as the Privacy Commissioner may review it later, or it could be used in legal proceedings. A lawyer can help you work through the key considerations, apply them to your specific situation, and ensure your assessment is accurate, well-reasoned, and won’t leave your business legally exposed, especially in complex cases or where sensitive data is involved.
If in doubt, it is best to consult a lawyer early. This can help you determine whether the breach is notifiable and allow you to manage legal and reputational risks before they escalate.
What if the breach is notifiable?
If your business identifies a notifiable privacy breach, you must take two key steps:
Notify the Office of the Privacy Commissioner (OPC):
- Complete the Notify Us form on the Office of the Privacy Commissioner’s website within 72 hours of becoming aware of the breach.
- Include a clear summary of what happened, your assessment of the potential harm, and the steps your business has taken in response.
Notify the affected individuals:
- Outline what happened
- Advise them of any risks and what they can do to protect themselves
- Explain what you are doing to address the issue and prevent future occurrences.
A poorly written notification can cause problems, especially if there’s a chance someone might later question your business’ procedure or seek compensation. Seeking legal advice before making your notification can help protect both your business and your reputation.
Take control of your privacy risk
The Privacy Act 2020 places a clear responsibility on businesses to respond to data breaches quickly, transparently, and carefully. The good news is you don’t have to navigate this alone.
When a privacy breach occurs, it’s often a high-pressure situation that requires swift and well-informed action. That’s why having a privacy breach response plan in place is so important. A well-prepared plan will guide your team through each step of the process, helping to minimise both legal risk, financial penalties and reputational damage.
An effective plan should set out:
- The key response steps —how to contain the breach, assess the risk, notify the Privacy Commissioner and affected individuals (if required), and review what went wrong
- Clear roles and responsibilities — who within your business is responsible for each part of the response
- A framework for determining whether the breach meets the notification threshold under the Privacy Act
- When to seek legal advice — to ensure your assessment, communications, and notifications are accurate, compliant, and protect your legal position
Having this structure in place before a breach happens ensures your team can act decisively and appropriately. Whether you’re building your first breach response plan, assessing whether an incident is notifiable, or preparing communications to affected individuals, getting legal advice at the right time can reduce stress, cost, and long-term consequences.
We’re here to help
If you’re unsure how your business would respond to a privacy breach, or you’re currently dealing with one, now is the time to act.
Contact us today by calling Jude on 09 837 6886 or email jude.dragh@smithpartners.co.nz – or by completing the form below and we’ll help you put the right protections, processes, and legal support in place before a minor issue turns into a major problem.