CyberCover.co.nz
← Back to Blog
RegulationCyberCover Team6 min read8 April 2026

The Privacy Act 2020 and Your Business: What You Need to Know

What the Privacy Act 2020 Means for NZ Businesses

The Privacy Act 2020 replaced New Zealand's previous privacy legislation and introduced significant new obligations for all businesses that collect and hold personal information about New Zealanders.

Mandatory Breach Notification

The most significant change for businesses is the mandatory breach notification requirement. Under the Act, you must notify the Office of the Privacy Commissioner (OPC) and affected individuals when a privacy breach occurs that has caused — or is likely to cause — serious harm.

Serious harm includes situations where individuals may suffer financial loss, physical harm, significant humiliation, or where sensitive information is exposed. In practice, most significant data breaches will meet this threshold.

The Cost of Notification

Notifying affected individuals sounds straightforward, but the costs add up quickly. For a business with 5,000 customers, a breach notification programme typically includes:

  • Legal review of notification obligations and content
  • Individual notification letters or emails
  • Call centre setup to handle customer enquiries
  • Credit monitoring services where financial data was exposed
  • Media statement and communications management

These costs can easily reach $50,000–$150,000 for a mid-sized NZ business — and cyber insurance covers all of them.

Penalties for Non-Compliance

Failing to notify when required is an offence under the Privacy Act. The Privacy Commissioner can refer matters to the Human Rights Review Tribunal, which can award compensation of up to $350,000. Criminal fines of up to $10,000 apply for certain offences including obstruction and false statements.

Practical Steps for Businesses

To meet your Privacy Act obligations, businesses should:

  • Maintain a data register — know what personal data you hold and where
  • Have an incident response plan that includes a breach notification process
  • Train staff to recognise and report potential breaches promptly
  • Appoint a Privacy Officer (required under the Act)
  • Ensure cyber insurance covers breach response and regulatory defence

How Cyber Insurance Helps

Cyber insurance policies specifically address Privacy Act compliance by covering: legal advice on notification obligations, notification costs, regulatory investigation defence, and any resulting penalties (where legally insurable). This allows businesses to respond quickly and correctly without worrying about whether they can afford to comply.

About the Author

CyberCover Team — the CyberCover crew are self-confessed insurance geeks on a mission to make cyber cover simple, accessible and jargon-free for businesses of every size.

Ready to Get Protected?

Get tailored cyber insurance quotes from licensed NZ brokers. Free advice, no obligation.

Free advice. No obligation. Licensed NZ brokers.

✓ Free advice✓ Licensed NZ brokers✓ No obligation✓ Reply within 1 business day