When personal information is compromised, New Zealand businesses must act swiftly and responsibly under the Privacy Act 2020. Regardless of size, every organisation is legally required to notify both the Privacy Commissioner and affected individuals if a breach is reasonably likely to cause serious harm.

Many business owners underestimate what constitutes a notifiable breach. Even a misdirected email or lost file can trigger notification obligations. For small and medium-sized enterprises, where formal protocols may be lacking, early legal advice is crucial to avoid missteps and mitigate consequences.

A notifiable privacy breach –
Is defined as one that has caused or is likely to cause serious harm. This can result from everyday incidents – accidental or deliberate – such as unauthorised access to customer records, lost devices containing personal data, or mistakenly shared sensitive files. Determining whether a breach meets the threshold requires a careful assessment of factors including the sensitivity of the data, the intentions of the person who accessed it, and the potential for harm.

If a breach is deemed notifiable, businesses must notify the Office of the Privacy Commissioner within 72 hours, and also inform affected individuals with clear, supportive communication. Poorly handled notifications can lead to reputational damage or legal claims, making legal guidance essential.

Preparation is key.
A privacy breach response plan should outline containment steps, notification procedures, roles and responsibilities, and criteria for legal consultation. Having this framework in place ensures your team can respond confidently and compliantly.

If you’re unsure how your business would handle a breach – or are currently facing one – now is the time to speak with the privacy experts in Smith and Partners’ commercial team. Acting early can reduce stress, protect your reputation, and ensure compliance with the law.