Guide To Undertaking A Privacy Impact Assessment (2026 Updated)

If your business is collecting, using, or sharing personal information (and most businesses are), you’ve probably had the moment where you think: “Are we actually doing this the right way?”

A Privacy Impact Assessment (PIA) is one of the simplest (and most practical) ways to answer that question before a project goes live. It helps you spot privacy risks early, build better processes, and reduce the chance of an expensive, reputation-damaging privacy incident later.

This guide is updated to reflect how privacy risk is being approached in New Zealand right now, including the expectations that flow from the Privacy Act 2020 and the reality that many businesses are using more third-party platforms, automations and AI tools than ever before.

What Is A Privacy Impact Assessment (And When Do You Need One)?

A Privacy Impact Assessment is a structured process for checking how a project, product, system, or business change will affect privacy.

It’s not just a “big corporate” compliance exercise. A PIA is especially useful for small businesses because it helps you avoid building something that later needs to be reworked (or paused) because of privacy issues.

What A PIA Actually Does

A good PIA helps you:

• map what personal information you’re collecting and why;
• confirm you have a lawful and reasonable basis to collect and use it;
• identify privacy risks (including security and “creepiness” risks);
• decide what controls you need (policies, consent wording, access restrictions, retention rules); and
• document decisions so you can show you acted responsibly if there’s a complaint or investigation.

When You Should Run A Privacy Impact Assessment

You can do a PIA at any time, but it’s most valuable before you launch something new or change how you use data. Common triggers include:

• launching a new website, app, or online store that collects customer details;
• setting up email marketing automations and audience tracking;
• introducing CCTV, workplace monitoring, or access control systems;
• sharing customer data with a new software provider, contractor, or offshore service;
• collecting sensitive information (health, biometrics, identity documents, financial details);
• integrating AI tools that process personal information (even if it’s “just” for support tickets or recruitment);
• starting a loyalty program, referral program, or competition where people submit personal details.

If you’re not sure whether your project is “big enough” for a PIA, that’s usually a sign it’s worth doing. PIAs scale up or down depending on the size and risk of the project.

Why Privacy Impact Assessments Matter Under New Zealand’s Privacy Act

In New Zealand, privacy compliance is mainly governed by the Privacy Act 2020 and its Information Privacy Principles. A PIA isn’t expressly mandatory in every scenario, but it’s a very practical way to show you’re taking “reasonable steps” to comply with your obligations.

For business owners, privacy risk isn’t only about fines or formal penalties. The bigger day-to-day risks tend to be:

• loss of customer trust after a data leak or misuse;
• time and cost responding to access requests or complaints without clear processes;
• project delays when a platform or feature needs privacy rework late in the build;
• contract disputes with suppliers or partners over security responsibilities; and
• brand damage from “we didn’t think of that” moments (especially with tracking and targeted advertising).

PIAs Help You Operationalise The Privacy Principles

The privacy principles can feel broad. A PIA makes them concrete. For example, it pushes you to ask:

• Purpose: What are we collecting this for, and is it necessary?
• Transparency: Have we told people what we’re doing in clear language?
• Security: Who can access the data, and how is it protected?
• Retention: Are we keeping data longer than we need to?
• Access and correction: If someone asks for their information, can we find it quickly and respond properly?
• Disclosure: Are we sharing data with anyone else, and are we allowed to?

This is also where your customer-facing documentation matters. If your project collects personal data online, you’ll usually need a properly tailored Privacy Policy that matches what you actually do (not a template that doesn’t reflect your systems).

How To Undertake A Privacy Impact Assessment (Step-By-Step)

A PIA doesn’t need to be complicated. The key is to be methodical and to document your decisions as you go.

1. Define The Project And The “Why”

Start with a simple description:

• What are you building or changing?
• Who is it for (customers, staff, contractors, the public)?
• What problem are you solving?
• What systems, tools, and suppliers are involved?

This sounds basic, but it stops PIAs from becoming vague. You want the assessment to match the actual project scope.

2. Map The Personal Information Flow

This is the heart of a PIA. You’re mapping the “life cycle” of personal information, including:

• Collection: What data is collected (name, email, IP address, payment details, ID verification documents)?
• Source: Does it come from the person, from a third party, from tracking technology, or from internal systems?
• Storage: Where is it stored (CRM, cloud drive, HR platform), and in which country/region?
• Use: Who uses it and for what purpose?
• Sharing: Is it shared with vendors, couriers, payment processors, marketing platforms, or overseas contractors?
• Retention and deletion: How long is it kept, and how is it securely disposed of?

If you’re working with suppliers who may access customer data (like marketing agencies, IT providers, or virtual assistants), the privacy risk isn’t just “what you do” - it’s also what they can do. That’s where clear contractual controls help, often through a tailored service agreement and confidentiality obligations (for example, a Non-Disclosure Agreement for sensitive projects).

3. Identify What Privacy Risks Could Actually Happen

It’s easy to keep privacy discussions theoretical. In a PIA, you want to get specific about what could go wrong.

Common risk categories include:

• Over-collection: collecting more information than needed “just in case”.
• Function creep: using data later for a new purpose people wouldn’t expect.
• Security risk: weak access controls, shared logins, lack of encryption, no MFA, unsecured devices.
• Human error: sending emails to the wrong recipient, misconfigured sharing permissions, staff downloading lists to personal devices.
• Third-party risk: vendors storing data offshore, subcontracting work, or suffering their own breach.
• Transparency risk: privacy notices that are unclear, incomplete, or inconsistent with reality.
• Sensitive info risk: higher harm if data includes health information, identity documents, children’s info, or financial data.

A useful way to pressure-test risk is to ask: If a customer read about this on the front page of the paper, would we be comfortable explaining it? If not, it’s a signal to adjust the design.

4. Check Your Legal Basis And Notices (What You Tell People)

At this stage, you should check:

• Do you have a clear purpose for collection, and is it connected to your business operations?
• Are you collecting directly from the person, and if not, do you have a good reason?
• Are you giving people clear notice about what you collect, how you use it, and who you share it with?
• Are you relying on consent - and if so, is that consent genuinely informed and optional?

Many businesses get stuck on whether “consent” is required for everything. In practice, the bigger issue is whether you’ve been transparent and whether your collection/use is necessary and reasonable in context.

For online businesses, this is usually where your website terms and privacy documentation need to match your setup, including things like analytics, cookies, and marketing. If you’re collecting data through an online platform, your Website Terms and Conditions can also help set expectations about acceptable use, account security, and liability boundaries (privacy and terms should work together, not contradict each other).

5. Decide Controls And Improvements (And Assign Owners)

A PIA should end with a practical action list. You might decide to:

• collect less information (data minimisation);
• make certain fields optional rather than mandatory;
• change how you obtain consent or provide notice;
• tighten staff access permissions (role-based access);
• implement MFA and stronger password policies;
• introduce internal processes for privacy requests;
• create a retention schedule and deletion process;
• update supplier contracts to require specific security standards;
• train staff on handling personal information.

Assign each action to an owner and a timeframe. A PIA that ends with “we should improve security” isn’t as helpful as “Enable MFA for all admin users by Friday; limit customer exports to managers only.”

6. Document The Outcome And Keep It Updated

Once the project is live, revisit your PIA when something changes, like:

• you add a new tool (CRM, ticketing system, analytics platform);
• you start using data for a new purpose (new product line, new marketing channel);
• you expand into new markets or hire overseas contractors;
• you suffer (or nearly suffer) a security incident.

Privacy compliance is ongoing. A PIA is a snapshot, but it should also become part of your regular project checklist.

What Should A Privacy Impact Assessment Include? (A Practical Checklist)

If you want a useful PIA document (not something that sits in a folder and never gets read), include sections that help your team act.

Here’s a practical checklist you can use as a starting point:

• Project overview: what the project is, who it affects, and why you’re doing it.
• Personal information inventory: what you collect, including any sensitive information.
• Data flow map: collection, storage, access, sharing, retention, deletion.
• Purpose and necessity: why each category of information is required.
• Privacy notices and transparency: what you tell people and where.
• Security controls: access controls, encryption, MFA, audit logging, device policies.
• Third parties and offshore storage: vendors used, where data is stored, and how you manage vendor risk.
• Risk assessment: what can go wrong, likelihood, impact, and overall risk rating.
• Mitigation plan: actions to reduce risk, owners, and deadlines.
• Decision record: what you decided, what you didn’t do (and why), and who approved it.

If your project touches employee data (for example, monitoring tools, staff scheduling platforms, HR systems, or recruitment), it’s also worth checking that your internal policies and employment documents line up with your practices. An Employment Contract and workplace policies can help set expectations around workplace technology, privacy boundaries, and confidential information.

Common Privacy Risks For Small Businesses (And How A PIA Helps You Avoid Them)

Most privacy issues we see aren’t caused by bad intentions. They happen because businesses move fast, add new tools, and don’t always pause to check how information is handled end-to-end.

Using Software Tools Without Checking Where Data Goes

CRMs, email marketing platforms, booking tools, and helpdesk systems are often essential. But each one can create new privacy and security risks, especially if:

• data is stored offshore without you realising;
• there are broad admin permissions and no audit trail;
• exported lists are stored locally and never deleted;
• contractors have ongoing access after they stop working with you.

A PIA forces you to map the vendor ecosystem and tighten access rules before it becomes messy.

Collecting More Information Than You Need

It’s tempting to collect extra details “in case we need it later.” But over-collection increases your compliance burden and your breach exposure. If you don’t need date of birth, home address, or ID documents, it’s usually safer not to collect them at all.

A PIA makes you justify each data field against a real purpose.

Not Having A Plan For Privacy Requests Or Complaints

Under New Zealand privacy law, individuals can request access to their personal information and ask for corrections. If you don’t have a process, these requests can become stressful and time-consuming, and you risk missing deadlines or giving incomplete responses.

PIAs often prompt you to set up a simple internal workflow, so you know:

• who receives requests;
• how identity is verified (if needed);
• where data is stored and how it’s retrieved;
• how responses are documented.

Weak Contracts With Contractors Or Service Providers

If someone external is handling personal information on your behalf, you want the contract to clearly set out:

• what they can and can’t do with the data;
• minimum security standards (and reporting of incidents);
• whether subcontracting is allowed;
• what happens at the end of the engagement (return/deletion of data).

This is where a tailored Service Agreement can do a lot of heavy lifting, because it reduces misunderstandings and helps you manage privacy risk proactively.

Key Takeaways

• A Privacy Impact Assessment (PIA) is a practical way to identify and reduce privacy risks before a new project, system, or process goes live.
• PIAs help you translate the Privacy Act 2020 and the Information Privacy Principles into real, day-to-day business steps (what you collect, why you collect it, who can access it, and how it’s protected).
• A good PIA maps your data flows end-to-end, including third-party suppliers, offshore storage, retention periods, and deletion processes.
• Common privacy risks for small businesses include over-collecting information, unclear notices, poor access controls, and weak supplier contracts - PIAs help you catch these early.
• PIAs should lead to a clear action plan with owners and deadlines, not just a general discussion about “privacy”.
• If your project involves collecting customer information online, make sure your Privacy Policy and website documentation match what your business actually does in practice.

If you’d like help running a Privacy Impact Assessment or tightening up your privacy documentation and contracts, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.