Display

Choose how you want to view this site. Your choices are saved on this device.

Text size
Page width
Theme

Privacy & compliance

Privacy impact thinking for new features (lightweight DPIA habits)

Updated 2026-04-11 · Practical guide for NZ small businesses

Short answer: Before you ship a chatbot, loyalty programme, or new analytics pixel, ask what personal data flows change, who can see it, and what could go wrong—a lightweight impact habit prevents retrofits.

A full DPIA may be required sometimes; many SMEs still benefit from a one-page template.

Five questions worth answering

  • What new data? content, identifiers, behavioural signals.
  • Necessity: can you achieve the goal with less?
  • Sharing: new subprocessors or cross-border flows?
  • Risk: misuse, breach, surveillance surprises.
  • Mitigations: access limits, retention caps, user controls.

When to deepen the review

Large-scale profiling, systematic monitoring of public spaces, or data matching across unrelated datasets are classic escalation triggers.

Developer collaboration

Embed privacy checks in tickets—cheaper than ripping out a feature after launch.

Frequently asked questions

Is this only for enterprises?

No—small teams ship risky features fast; light process is proportionate protection.

Does a DPIA go in the privacy policy?

Usually internal; policies summarise outcomes (what you collect and why), not draft notes.