Navigating the AI Frontier: Why Robust Privacy and Cybersecurity Compliance is Essential for New Zealand Businesses

The advent of Artificial Intelligence (AI) and particularly generative AI tools like ChatGPT has ushered in a new era of digital transformation for New Zealand, offering innovative ways to process data, create content, and automate tasks. However, this rapid technological adoption also presents a complex landscape of privacy and cybersecurity challenges that New Zealand businesses must proactively address to ensure compliance, build public trust, and safeguard their operations.

The AI Revolution and Its Double-Edged Sword AI, defined as computer systems that derive information, learn from experience, and utilise thought and reason, is now capable of creating new content (text, audio, image/video) through generative AI. Services like ChatGPT have seen exceptionally rapid user adoption, far outpacing other online services in reaching one million users. While AI offers immense opportunities, it simultaneously introduces significant risks:

• Data Vulnerability: AI models are trained on vast datasets, often including personal information scraped from the internet, and there is "no real way to stop them". This means that personal and confidential information entered by employees into AI tools, even for work purposes, can be retained by providers and used to train models, creating a risk of disclosure. A 2025 survey found that 57% of enterprise employees input confidential data into AI tools, and 68% use personal AI accounts for work, highlighting a widespread unmanaged risk.
• Hallucinations and Misinformation: AI systems are prone to "hallucinations," producing confident errors of fact and logic. Cases have shown AI chatbots fabricating legal cases, providing incorrect customer policies, and generating erroneous search results. Such inaccuracies can lead to significant harm, as seen when a man filed a complaint after ChatGPT falsely stated he killed his children.
• Deepfakes and Impersonation: AI-driven phishing attacks and deepfake impersonation scams are emerging as highly sophisticated threats. Attackers can convincingly mimic executives or key personnel to facilitate fraudulent transactions or spread disinformation.

New Zealand's Regulatory Landscape: A Snapshot New Zealand's Privacy Act 2020 governs the collection, use, and disclosure of individuals' personal information and applies to all organisations and individuals using AI tools. The Act's 13 Information Privacy Principles (IPPs) set out how personal information must be handled, including requirements for lawful collection, storage security, and individuals' rights to access and correct their information.

However, the Privacy Act 2020, drafted in 2013, is increasingly seen as outdated and outpaced by rapid technological advancements like generative AI and biometrics. Key shortcomings include:

• Insufficient Penalties: Maximum penalties of NZD 10,000 for specific criminal offences under the Privacy Act are considered "minimal" compared to multi-million-dollar fines in jurisdictions like the EU (up to €20 million or 4% of global turnover) and Australia (up to AU$50 million). This lack of significant financial deterrents reduces the incentive for businesses to prioritise privacy.
• Lack of Adaptability: While technology-neutral, the Act lacks specific provisions, rights, and obligations adopted by other countries to address privacy challenges from new technologies, especially AI.
• No Distinction for Sensitive Information: Unlike the EU and Australia, New Zealand's Act does not create a separate category for 'sensitive personal information' that requires stricter protections, which is particularly concerning with the rise of biometric data.

Recognising these gaps, there are ongoing efforts for reform, including the Privacy Amendment Bill 2024, which proposes greater disclosure obligations and clarification on liability for third-party service providers. The Office of the Privacy Commissioner (OPC) actively provides guidance on applying the IPPs to AI tools, emphasising the need for senior leadership approval, privacy impact assessments (PIAs), transparency, and human review of AI outputs.

Beyond privacy, New Zealand is also strengthening its broader cybersecurity posture. The National Cyber Security Centre (NCSC), now integrated with CERT NZ, is the lead operational cyber security agency, providing services to all New Zealanders. The NCSC has introduced ten Minimum Cyber Security Standards for public sector agencies, covering areas like security awareness, risk management, patching, multi-factor authentication, and data recovery, with a mandate for compliance by October 2025. The government is also set to strengthen its stance against cybercrime with new legislation aligning with the Budapest Convention, the only binding international treaty focused on fighting cybercrime.

Escalating Cyber Threats and AI's Role New Zealand faces a growing and sophisticated array of cyber threats that malicious AI tools can exacerbate:

• Phishing and Credential Harvesting: These remain the most common incidents reported by both individuals and organisations, with attackers constantly experimenting with new tradecraft and technologies. AI can be used to write more convincing phishing emails in various languages.
• Ransomware and Data Breaches: Ransomware attacks can bring operations to a standstill, inflicting severe financial and reputational damage. The NCSC reported 37 ransomware incidents affecting individuals or small to medium businesses in 2023/2024. Globally, significant data breaches affecting New Zealanders' personal information are an ongoing trend. The financial services company Latitude experienced a breach exposing personal identity and contact information of 1 million Kiwis, showing how data retention issues make organisations softer targets.
• State-Sponsored and Geopolitical Attacks: New Zealand has seen an increase in state-sponsored incidents, consistent with a globally adversarial cyber threat landscape. Foreign states are active in cyber exploitation, foreign interference, and espionage, targeting critical infrastructure and intellectual property. State-sponsored and criminal cyber actors are forging ties in the cybercrime ecosystem to reduce overheads for their operations.
• Supply Chain Vulnerabilities: Third-party suppliers are a significant attack vector, accounting for over a quarter of all cyber-attacks and incidents in New Zealand businesses. Inadequate oversight of third-party vendors can lead to substantial reputational and operational risks, as exemplified by the Latitude Financial breach.

The Urgency for Proactive Compliance New Zealanders are increasingly concerned about AI. A 2025 survey by the OPC found that nearly two-thirds of Kiwis are worried about government agencies or businesses using AI to make decisions about them, with 82% wanting more control over their personal information. Despite these concerns, only 34% are excited about AI, while 60% are worried, and 68% are worried about the malicious use of AI and the lack of regulation.

This highlights a critical need for businesses to adopt a proactive and preventative approach to AI, privacy, and cybersecurity.

• Embed Cybersecurity as an Enterprise-Wide Risk: Cybersecurity is no longer solely an IT issue but a fundamental business risk affecting strategy, operations, and resilience. Boards must treat it as an enterprise-wide risk and ensure it's a standing agenda item, with adequate time for discussion.
• Prioritise Privacy by Design: The best time to start privacy work is at the beginning of any AI project. Conducting Privacy Impact Assessments (PIAs) before using AI tools is essential to understand and mitigate potential privacy risks, including engaging with impacted communities, especially Māori.
• Robust Data Governance: Implement clear policies on data protection, encryption, and regulatory compliance. Businesses must be confident they can provide access to and correct personal information stored in AI systems, and ensure the accuracy, relevance, and reliability of AI outputs.
• Invest in Talent and Training: Human error accounts for many cyber incidents. Regular and targeted cybersecurity awareness training for all employees is crucial, covering how to identify scams, use strong authentication (like multi-factor authentication, MFA), and keep devices updated.
• Strengthen Technical Controls: Implement robust security measures like two-factor authentication, regular system patching, monitoring for unusual behaviour, and secure configurations for cloud environments and applications. Back up critical data with encryption and regularly test recovery plans.
• Manage Third-Party Risks: Conduct formal due diligence, audits, and ensure contractual compliance clauses for vendors, especially those handling your data or providing critical systems.

Conclusion The digital future is here, driven by AI, and New Zealand's economic prosperity and social wellbeing are increasingly reliant on its secure and ethical adoption. While the benefits of AI are undeniable, the associated privacy and cybersecurity risks are profound. For businesses, compliance is not merely about avoiding penalties; it's about building and maintaining trust with customers, employees, and the wider community. By adopting a strategic, enterprise-wide approach to AI governance, prioritising privacy by design, investing in robust security measures, and fostering a culture of cybersecurity awareness, New Zealand businesses can confidently navigate the AI frontier and thrive in an increasingly connected, yet challenging, digital world.