Privacy & Data Protection Program - NZ Small Business

Privacy & Data Protection Program - NZ Small Business
NZ$495.00

Ready-to-implement privacy compliance program for New Zealand small businesses handling personal information about customers, staff, and others.

✅ Built for NZ small business use

✅ Privacy Act 2020 and Privacy Amendment Act 2025 aligned

Policies, procedures, registers & training guides

✅ Covers IPP 3A (effective 1 May 2026) and Biometric Processing Privacy Code 2025

✅ Instant digital download

✅ NZ $495 incl GST

Full details below ↓

01 — WHAT

What is it?

The Privacy & Data Protection Program — NZ Small is a ready-to-implement privacy compliance program designed for New Zealand small businesses. It gives business owners and privacy officers a structured way to collect, store, use, and disclose personal information lawfully — in full compliance with the Privacy Act 2020 and current regulatory guidance from the Office of the Privacy Commissioner.

It provides the policies, procedures, registers, forms, and training needed to manage personal information responsibly — whether that's customer data, staff records, financial information, or any other individually identifiable information the business holds.

02 — WHO

Who is it for?

  • Business owners and managers responsible for privacy compliance
  • NZ small businesses (1–15 staff) collecting personal information from customers or staff
  • Businesses using AI tools, cloud platforms, or third-party services that handle personal data
  • Companies rolling out new systems that will store or process personal information
  • Any NZ business that wants to handle personal information professionally and lawfully

03 — WHY

Why does it matter?

The Privacy Act 2020 applies to every New Zealand organisation that collects, stores, uses, or discloses personal information about identifiable individuals — and the obligations are not optional. The Privacy Amendment Act 2025 has introduced new requirements that take effect from 1 May 2026, including proactive notification when personal information is collected from a source other than the individual concerned.

Relevant legislation includes:

  • Privacy Act 2020 — 13 Information Privacy Principles (IPPs 1–13)
  • Privacy Amendment Act 2025 — IPP 3A (effective 1 May 2026)
  • Biometric Processing Privacy Code 2025 — for automated biometric systems
  • Human Rights Act 1993 — data practices must not discriminate on protected grounds
  • Harmful Digital Communications Act 2015 — restrictions on harmful disclosure

Without a privacy program, businesses risk:

  • Formal investigation by the Office of the Privacy Commissioner
  • Compliance notices and civil liability under the Privacy Act
  • Complaints to the Human Rights Review Tribunal
  • Reputational damage if a privacy breach becomes public
  • Legal liability from 1 May 2026 where IPP 3A notification processes are not in place

04 — WHEN

When do you need it?

  • Before collecting personal information from customers or staff in any new system or process
  • When adopting a new AI tool, cloud platform, or third-party service that handles personal data
  • When a privacy breach occurs and you need a documented response process
  • Before the 1 May 2026 IPP 3A deadline for indirect collection notification
  • Before the 3 August 2026 Biometric Processing Privacy Code compliance deadline
  • Whenever you want to demonstrate to customers and regulators that personal information is handled lawfully

05 — WHERE

Where does it apply?

  • Customer data collection — forms, websites, phone, and in-person intake
  • Staff and contractor records management
  • AI tools and cloud platforms used in the business
  • Third-party service providers who receive or process personal information
  • Direct marketing and customer communications
  • Privacy breach identification and response
  • Individual access and correction requests

06 — HOW

How does it work?

  • Appoint a Privacy Officer and document the appointment
  • Map every category of personal information the business collects and holds
  • Customise and approve the Privacy & Data Protection Policy
  • Confirm IPP 3-compliant collection notices are in place at every collection point
  • Assess all third-party relationships involving personal information
  • Train all staff before they handle personal information
  • Establish breach response procedures aligned to the mandatory notification framework
  • Review the program annually and update for legislative changes

07 — INCLUDED

What is included?

1.0 Product Document Index

1.1 Welcome Pack

1.2 Quick Start Guide

1.3 30-Day Implementation Roadmap

1.4 Programme Navigation Guide

2.1 Executive Summary

3.1 Privacy & Data Protection Policy

3.2 Privacy Acceptable Use Policy

3.3 Privacy Data Handling Procedure

3.4 Privacy Risk Management Policy

3.5 Privacy Breach Response Policy

3.6 Privacy Document Review & Update Policy

4.1 Privacy Breach Response Procedure

4.2 Third-Party Data Sharing Procedure

5.1 Privacy Impact Assessment Template

5.2 Staff Privacy Acknowledgement Form

5.3 Individual Access Request Form

6.1 Privacy Register

6.2 Privacy Breach Register

6.3 Privacy Action Plan Register

6.4 Training Register

6.5 Version Control Register

6.6 Legislative Update Log

7.1 Privacy Monthly Review Checklist

7.2 Third-Party Assessment Checklist

7.3 Annual Privacy Review Guide

8.1 Staff Privacy Training Guide

8.2 Manager Privacy Briefing Guide