Privacy Act 2020-compliant AI automation for New Zealand Ltd companies
Bad Robot delivers AI solutions, workflow automation, managed IT, and custom software for New Zealand small businesss - built to comply with Privacy Act 2020, priced in NZ$ NZD.
The Privacy Act 2020 replaces the 1993 Act entirely, introducing mandatory 72-hour breach notification and the statutory Privacy Officer requirement for every NZ organisation regardless of size or revenue
Source: Office of the Privacy Commissioner (privacy.org.nz)
Principle 12 of the Privacy Act 2020 strictly regulates cross-border data transfers: personal data may only be sent offshore where the receiving entity has comparable privacy safeguards, binding corporate rules are in place, or explicit informed consent is obtained from the individual
Source: Office of the Privacy Commissioner (privacy.org.nz)
New Zealand's talent shortage is pronounced relative to its small population of 5 million: automation adoption is a structural necessity for NZ businesses that cannot scale through headcount alone
Source: BusinessNZ
Services for New Zealand businesses
Every service is adapted for the New Zealand market - GST (15%)-inclusive pricing, Privacy Act 2020 compliance, and local industry focus.
AI Solutions
Custom AI models, chatbots, and intelligent automation tailored to your business workflows.
SEO Services
Data-driven SEO that builds sustainable organic traffic and visibility in local search.
Managed IT
Proactive IT management, monitoring, and support so you can focus on growing your business.
Business Consulting
Strategic digital transformation consulting for ambitious SMEs ready to scale.
Workflow Automation
Eliminate repetitive manual tasks with custom workflow automations that pay for themselves.
Network Security
Comprehensive cybersecurity solutions protecting your business data and reputation.
App Development
Custom web and mobile applications built with modern tech stacks and AI integration.
Why New Zealand businesses choose Bad Robot
Privacy Act 2020 native: all 13 Information Privacy Principles built into every solution from the architecture stage, not retrofitted after the OPC makes contact
72-hour breach notification ready: automated Principle 5 detection and OPC notification workflows are built in as standard, so you are never scrambling to meet the window
Privacy Officer support: tools and documentation designed specifically to support the mandatory Privacy Officer role that every NZ organisation must appoint, regardless of size
Callaghan Innovation aligned: solutions structured to qualify under R&D Growth Grant criteria, and we help NZ Ltd companies navigate the Callaghan Innovation application process from scoping to submission
NZD pricing with GST applied transparently: all projects scoped, quoted, and invoiced in New Zealand dollars with 15% GST applied correctly, giving NZ Ltd companies clean accounting from day one
NZST timezone support: business-hours response for New Zealand clients, with no offshore lag on production issues affecting your operations
Challenges New Zealand businesses face
We understand the specific pressures on New Zealand small businesss - and we build solutions that address them directly.
The 72-hour Principle 5 breach notification window is operationally demanding without automation. Assessing severity, documenting the incident, and notifying the OPC within 72 hours of becoming aware requires pre-built procedures that most NZ organisations do not have in place. The window closes fast, and manual processes that depend on the right person being available and alert are not reliable.
The mandatory Privacy Officer role requires every NZ Ltd company to appoint a designated individual responsible for Privacy Act 2020 compliance, regardless of company size or revenue. Most small businesses appoint the director by default, but without the tools or documentation to actually fulfil the role's obligations, the appointment is a formality that leaves the organisation exposed to OPC investigation.
Principle 12 cross-border data transfer restrictions are widely misunderstood by NZ businesses using international SaaS platforms. When personal data is routed through servers in the US, EU, or Australia without first verifying that comparable safeguards are in place, the business is in breach of Principle 12 from the first data transfer. Most NZ businesses using common cloud platforms are in breach right now and are not aware of it.
Principle 8 accuracy obligations require NZ businesses to verify data accuracy before use or disclosure at scale. For organisations processing significant volumes of customer, patient, or supplier data, manual validation is not a practical option. Automated data validation workflows are the only workable solution at the volumes most growing NZ businesses reach.
NZ's talent shortage, relative to its population of 5 million, means businesses cannot hire their way out of operational bottlenecks. Workflow automation is the primary mechanism for extending productive capacity without adding fixed headcount costs that a small labour market makes increasingly expensive.
Built for New Zealand compliance
Our solutions are designed with Privacy Act 2020 compliance embedded from the ground up. We work within the oversight framework of the Office of the Privacy Commissioner (OPC).
- Privacy Act 2020
- All 13 Information Privacy Principles (IPPs)
- OPC (Office of the Privacy Commissioner)
- Principle 5 (72-hour breach notification)
- Principle 12 (cross-border data transfers)
Privacy Act 2020, the 13 IPPs, and OPC compliance for New Zealand businesses
The Privacy Act 2020 replaced New Zealand's 1993 Privacy Act entirely. This was not a minor update. The 2020 Act has real enforcement teeth: mandatory breach notification, an extraterritorial application clause that covers any entity processing NZ resident data regardless of where that entity is domiciled, and a statutory requirement for every NZ organisation to appoint a Privacy Officer. The Office of the Privacy Commissioner (OPC) has the authority to investigate complaints, issue compliance notices, and refer serious matters to the Human Rights Review Tribunal, which can award damages.
For NZ businesses, this means privacy compliance is no longer a matter of good intentions. It is a structured legal obligation with a defined regulator, specific notification timelines, and concrete consequences for non-compliance. The 13 Information Privacy Principles (IPPs) form the architectural foundation of the Act. Every privacy obligation that a NZ organisation carries flows from one or more of these principles.
Principle 5 (Storage and Security) is the most operationally demanding for most NZ businesses. When a privacy breach is likely to cause serious harm to an affected individual, the organisation must notify the OPC within 72 hours of becoming aware of the breach. The "serious harm" threshold covers breaches involving sensitive personal information, financial harm, reputational harm, physical harm, and a range of other categories. The 72-hour clock starts when the organisation becomes aware, not when the breach is confirmed. That window is short, and it requires pre-built incident assessment and notification workflows rather than improvised responses. Missing the window or failing to notify when notification was required creates direct OPC exposure.
Principle 8 (Accuracy) creates a proactive obligation to verify data accuracy before using or disclosing personal information. This is not a passive requirement to correct errors when they are reported. At scale, this principle makes automated data validation practically essential. NZ organisations processing significant volumes of customer data, patient records, or supplier information need validation workflows that catch inaccuracies before they are acted on, not after.
Principle 12 (Disclosure Outside New Zealand) is the most widely misunderstood principle in the 2020 Act, and the most commonly breached in practice. Personal data may only be transferred offshore to entities with comparable privacy safeguards, where binding corporate rules are in place, or where the individual has given explicit informed consent. The EU GDPR provides comparable safeguards. The US, in the absence of specific contractual protections, does not. Most common SaaS platforms route data through US-based servers. Most NZ businesses using those platforms have not verified safeguard equivalence or implemented binding contractual protections. The result is systemic, ongoing Principle 12 non-compliance across significant portions of the NZ business community.
The Privacy Officer requirement is mandatory for every NZ organisation, regardless of size, revenue, or sector. The Act does not provide a small-business exemption. Most NZ small businesses appoint a director or office manager as Privacy Officer by default. Without the right tools, the role carries real obligation and real exposure without the operational infrastructure to discharge it effectively.
Privacy Impact Assessments (PIAs) are not explicitly mandated by the Privacy Act 2020, but the OPC strongly recommends conducting a PIA before deploying any new technology that involves personal data processing. For NZ businesses adopting AI solutions, custom applications, or new data platforms, a PIA-readiness framework demonstrates the accountability that the OPC looks for when investigating complaints or conducting proactive audits.
Bad Robot builds NZ solutions with Privacy Act 2020 compliance embedded from project scoping. All 13 IPPs are addressed in our architecture decisions, not reviewed after build. Principle 5 breach detection and OPC notification workflows are built in as standard. Principle 8 data validation is incorporated into every data processing pipeline. Principle 12 cross-border transfer restrictions are assessed and documented before any third-party platform goes live. Privacy Officer support tools, PIA-ready documentation, and OPC-ready compliance records are delivered as part of every engagement. NZ Ltd clients receive technology that works and complies from day one.
Callaghan Innovation funding for NZ technology businesses
Callaghan Innovation R&D Growth Grant + Project Grants
Callaghan Innovation is the New Zealand government's innovation agency, and it administers two primary R&D funding programmes that are directly relevant to NZ businesses investing in AI, automation, and custom software: the R&D Growth Grant and the Project Grants programme.
The R&D Growth Grant is a co-funding scheme for NZ businesses with established R&D programmes. Eligible businesses can claim a percentage of their qualifying R&D expenditure, making it a sustained, ongoing funding mechanism rather than a one-off project grant. To qualify, a business must be a NZ-resident company conducting R&D in New Zealand, and its R&D activities must meet the definition of "research and development" under the programme criteria. AI integration work with a genuine experimental or investigative component, custom software with novel technical challenges, and automation systems that require genuine R&D to build are all potential candidates for R&D Growth Grant qualification. Reference: callaghaninnovation.govt.nz.
The Project Grants provide shorter-term funding support for specific R&D projects. These are particularly accessible for NZ businesses that are earlier in their R&D journey or that have a defined project with clear deliverables and a genuine R&D component. Project Grants can cover feasibility work, proof-of-concept development, and early-stage technical investigation, making them a practical entry point for NZ Ltd companies considering their first significant technology investment.
The key qualifying criterion for both programmes is that the work must constitute genuine R&D under Callaghan Innovation's definitions. This means the work must advance knowledge or capability in a way that is not obvious to someone already working in the field, and it must involve systematic investigation or experimentation. Building a standard website does not qualify. Building an AI system that applies machine learning to a novel business problem, or developing a custom workflow automation platform that solves a genuinely new technical challenge, typically does.
Bad Robot structures our NZ solutions to meet Callaghan Innovation R&D criteria where this is genuinely appropriate. We do not manufacture R&D content where none exists, but where a client's project has real investigative depth, we document the R&D components in a way that supports a Callaghan Innovation application. We are familiar with the application process and can support NZ Ltd clients from initial eligibility assessment through to submission at callaghaninnovation.govt.nz.
For NZ businesses considering significant AI or automation investment, Callaghan Innovation funding can materially reduce the net cost of qualifying projects. Given New Zealand's talent shortage and the structural pressure this creates to automate rather than hire, R&D-grade automation investment is not only commercially justified but potentially grant-eligible. We help you navigate both the commercial and funding dimensions.
Eligibility criteria
- NZ-resident company conducting R&D activities in New Zealand
- R&D work must meet Callaghan Innovation's definition: systematic investigation or experimentation to advance knowledge or capability
- AI integration with a genuine experimental component, novel custom software, or automation with real technical R&D content are typical qualifying activities
- R&D Growth Grant: for businesses with established R&D programmes seeking ongoing co-funding of qualifying R&D expenditure
- Project Grants: for businesses with a defined shorter-term R&D project, including feasibility studies and proof-of-concept development
- Apply through Callaghan Innovation at callaghaninnovation.govt.nz; we support eligibility assessment and application preparation
Serving New Zealand cities
Frequently asked questions - New Zealand
What AI services does Bad Robot offer NZ businesses?
Bad Robot provides Privacy Act 2020-compliant AI solutions, workflow automation, managed IT, SEO services, business consulting, network security, and custom app development for NZ Ltd companies. All solutions are priced in NZD with GST (15%) applied transparently, and every service is built around the 13 Information Privacy Principles from the project scoping stage.
Does your software comply with New Zealand's Privacy Act 2020?
Yes. The Privacy Act 2020 is the foundation of our NZ compliance approach. We build every solution around all 13 Information Privacy Principles, with particular attention to Principle 5 (72-hour breach notification to the OPC), Principle 8 (data accuracy obligations before use or disclosure), and Principle 12 (cross-border data transfer restrictions). Compliance is built in at the architecture stage, not added after deployment.
How does your system handle the 72-hour breach notification requirement under Principle 5?
We build automated breach detection and OPC notification workflows into every solution as standard. When a notifiable privacy breach occurs, the system assesses severity against the "serious harm" threshold, documents the incident, and generates the OPC notification filing within the 72-hour window. You are not relying on a manual process that depends on someone noticing and acting in time.
Can your tools support our mandatory Privacy Officer role?
Yes. Every NZ organisation is required by the Privacy Act 2020 to appoint a Privacy Officer. We build the tools and documentation that make this role practical: breach detection alerts, incident documentation workflows, data subject request management queues, privacy impact assessment templates, and compliance reporting that gives your Privacy Officer a clear operational picture at all times.
How do you ensure cross-border data transfers comply with Principle 12?
Principle 12 of the Privacy Act 2020 restricts personal data transfers to offshore entities that do not have comparable privacy safeguards in place. Before any data leaves NZ, we conduct a cross-border data transfer audit of every third-party platform in your stack. Where a platform lacks comparable safeguards, we implement binding contractual protections or route data differently. We document every transfer decision for your Privacy Officer records.
Can I access Callaghan Innovation funding for AI adoption?
Yes. The Callaghan Innovation R&D Growth Grant and Project Grants support NZ businesses undertaking genuine R&D, and AI integration with a genuine research or development component typically qualifies. We structure our solutions to meet Callaghan Innovation R&D criteria and can support your application process. Reference: callaghaninnovation.govt.nz.
Ready to get started?
Book a consultation with our team. We'll discuss your New Zealand business challenges and map out an AI solution that delivers real ROI.
Book a consultation