Privacy Act 2020 IPP3A is Coming — What Should Your Business Actually Do?

A practical legal guide to what IPP3A means for your business, how to prepare, and how to keep compliance proportionate and defensible.

From Principles to Practice

Over the past few weeks, this series has unpacked what IPP3A is, why it matters, the exceptions and how it will change the way organisations collect, use and share personal information. These earlier posts are available here:

1. IPP3A – Why this amendment, and why now?

2. IPP3A – From May 2026, what changes for you?

3. IPP3A – The exceptions and what they mean for your business

This final post brings it all together and looks at what your business can do now to prepare.

As a lawyer who spends much of my time advising businesses on privacy and data, I see two common reactions to reforms like IPP3A. Some move quickly to get ahead of the change. Others wait, hoping it will be another regulatory update that never quite bites.

Both are understandable. But the real question is not whether you do something. It is how much you need to do to be defensible when questioned, and to do the right thing by your customers and your staff. That is where proportionate, legally grounded preparation matters most.

Why the Legal Lens Matters

Privacy compliance is often treated as a policy, risk or IT exercise, but the real exposure usually lies elsewhere. For IPP3A, a large part of it sits in the contracts that define how information is shared, the supplier arrangements that determine who touches and uses the data, and the governance structures that decide who is accountable when something goes wrong.

The New Zealand Privacy Act 2020 does not carry the same financial penalties as overseas regimes such as the GDPR or the Australian Privacy Act. However, reputational harm can be significant. Being publicly called out by the Privacy Commissioner or finding your organisation on the front page of the newspaper, is not an experience most businesses would choose.

What IPP3A really demands is transparency and alignment between what your business says and what it does. It requires a clear understanding of where your data comes from, how it is collected, and what people are told about it.

This is where legal advice becomes critical. The law expects businesses to be able to explain and justify their actions. Legal guidance helps you move beyond checklists and templates to decisions that are proportionate, commercially practical, and defensible when questioned.

What Businesses Need to Do Now

There are five key areas every business should focus on.

1. Transparency

The draft guidance for IPP3A makes it clear that transparency is at the heart of compliance. Your privacy policy and notification processes must now do more than describe the type or class of personal information collected. They must identify, wherever possible, the specific source of that information.

If your organisation collects personal information indirectly, your privacy policy should name the business or organisation that supplied it. For example, if you obtain information from a credit reporting agency or marketing data provider, you should name that company and, where feasible, include a link to its website. Generic descriptions such as “third party suppliers” or “data partners” will no longer be sufficient.

Your policy should also explain what information was collected, how it is used, and who it may be shared with. The aim is for individuals to understand how their information came to you and what will happen to it next.

You need a process to ensure the policy remains accurate over time. This can be achieved through an annual review cycle or a trigger-based process that requires a review whenever new data sources, suppliers or collection methods are introduced. The important thing is that your privacy statement always reflects current practice, not what used to occur.

Timing of notification is also critical. The Office of the Privacy Commissioner’s draft Guidance expects notification to occur as soon as reasonably practicable after the information has been collected. In practice, this requires a judgment call. Your decision on when and how to notify individuals should be proportionate and documented, taking into account the nature and sensitivity of the information, what you already know about the individuals concerned, the cost and effort involved, and the most effective way to communicate the notice.

Getting this right is not just a compliance exercise. It demonstrates accountability and respect for the people whose information you hold. A well written and actively maintained privacy policy should give individuals a clear, accurate and timely understanding of how their data reaches you and how you handle it.

2. Contracts

Your contracts are where IPP3A obligations become enforceable.

Review all agreements involving personal information, including supplier contracts, marketing partnerships, data sharing arrangements and cloud or software agreements. Update clauses to clarify how notification obligations under IPP3A will be met where personal information is collected indirectly.

Under IPP3A, there is an exception where individuals have already been made aware of the collection by the third party that gathered their information directly. In practice, this will be one of the most commonly relied on exceptions, as many organisations will depend on their suppliers or partners to have met the notification requirement.

If your business intends to rely on this exception, the contract must make that reliance explicit. A general understanding or assurance is not enough. Include clear, precise wording that allocates responsibility and confirms that the third party has met, or will meet, its obligation to notify affected individuals of the indirect collection by your business, including your business’s name and address.

You should also ask suppliers to confirm that their processes support these obligations and keep a record of your legal reasoning for any proportional or risk based approach you adopt.

Strong contracts demonstrate that privacy risks are being managed as part of your commercial framework, not left to assumption.

3. Awareness

Policies and contracts only work when people understand them.

Your staff need to know what IPP3A means in practice, including who collects what, who informs individuals, and what to do when something changes.

Communicate the new obligations across your organisation, particularly to those handling customer data, employee data, managing suppliers or approving marketing activity. Refresh training materials and keep records of completion.

Encourage a culture where staff pause and ask questions before bringing in new data sources or tools. It is far easier to fix a privacy issue before it happens than after.

Awareness is where policy turns into behaviour. It is the difference between compliance on paper and compliance in practice.

4. Mapping

You cannot manage privacy risks if you do not know where your data comes from or where it goes.

Create a straightforward map of your data sources, including indirect and third party inputs. Record what is collected, from whom and why. Review the map regularly as suppliers and systems change.

Data mapping gives you visibility, and visibility gives you control.

5. Change

Many privacy issues arise not in steady state but when something changes.

When you change suppliers, add a system, or expand how data is used, privacy considerations can easily be overlooked. IPP3A obligations should be incorporated into your Privacy Impact Assessment process so that indirect collection and notification requirements are considered whenever new initiatives are reviewed.

You should also ensure that you have the right triggers in place. Build these into your procurement, IT and project management workflows so that any new system, data source or partnership automatically prompts a privacy review.

This does not need to be complicated. Even a short checklist or sign-off step can identify most issues before they occur. What matters is consistency. Involve legal early, not after the contract is signed or the tool is live.

Change management is the thread that keeps compliance together. Without it, even the best privacy frameworks can quickly fall behind.

The Cost of Doing Nothing

Because the Privacy Act’s financial penalties are low, many organisations assume the risk is minimal. It is not.

The real costs lie in the loss of customer trust, the disruption of an investigation or breach and the urgent remediation that follows. Being named publicly by the Privacy Commissioner can cause lasting reputational damage. The businesses that fare worst are not those that make mistakes but those that cannot show a structured, reasonable response.

Proportionate and Defensible Compliance

IPP3A does not expect perfection. It expects reasonableness and accountability.

In practice, most businesses are not looking for a gold plated or overly engineered approach. They want to be compliant, meet their legal obligations, and do the right thing by their customers and staff. The goal is to demonstrate that the organisation has understood its risks, taken proportionate steps to address them, and can explain and evidence those decisions if questioned.

A proportionate, defensible approach is built on three things: knowing your risks, documenting your reasoning, and being able to show why the actions you took were fair, reasonable and aligned with the Privacy Act.

This is where good legal advice adds real value. It translates broad privacy principles into tailored, commercially workable steps that fit the size, structure and risk profile of your organisation. It helps you achieve compliance that is both practical and principled, robust enough to stand up when tested without overburdening the business.

Board and Leadership Accountability

IPP3A readiness is not just a compliance exercise. It is a governance responsibility.

Boards should treat privacy as part of their duty to manage organisational risk. Directors should be asking:

• Do we know where our personal information comes from?

• Have we reviewed our contracts and privacy policies?

• Do staff understand their responsibilities?

• Do we have a plan if something goes wrong?

  
  

Being able to answer those questions and show evidence of oversight is now a hallmark of sound governance.

How I Help

At O’Brien Legal, I offer a one stop privacy service that combines privacy law, commercial contracting and privacy compliance. This means my clients can manage every aspect of their privacy obligations through a single, integrated legal partner.

I help businesses develop privacy frameworks that are both legally robust and commercially workable. My focus is on practical, proportionate solutions that protect your organisation, meet legal requirements and make sense in day to day operations.

I support clients with:

• Drafting and updating contracts and commercial agreements to reflect IPP3A obligations and clearly allocate privacy responsibilities.

• Reviewing and rewriting privacy policies and internal frameworks to meet the new transparency requirements.

• Designing defensible action plans to implement IPP3A efficiently and proportionately.

• Creating board reporting templates, accountability maps and leadership briefings to demonstrate governance oversight.

• Embedding supplier and change management processes with built in IPP3A triggers.

• Conducting Privacy Impact Assessments and preparing PIA templates and guidance materials that can be used across the business.

• Providing breach response advice and supporting businesses through investigations or notifications.

  
  

You do not always need a large compliance project to meet IPP3A. What matters is a coordinated framework that integrates privacy law, commercial contracting and operational compliance. Whether you are building a full privacy programme or refining existing processes, the goal is to create an approach that is proportionate, defensible and aligned with your business.

Final Thoughts

IPP3A is more than a technical amendment. It signals a shift toward greater accountability in how businesses handle personal information.

It is also more work than many people realise. Understanding your data flows, updating contracts and privacy statements, and building change management processes all take time. It is far better to start now and ensure your business is ready before May 2026, when these changes come into effect.

While New Zealand’s privacy law may lack financial teeth, the reputational and operational impacts of getting it wrong are real. The good news is that compliance can be proportionate, practical and strategic when led through a legal lens.

If you want to understand what good looks like and how to make it defensible, now is the time to start.