Privacy Amendment Act 2025, IPP 3A, in force 1 May 2026. Mandatory notification obligations for every NZ organisation. Assess governance exposure
NZ Privacy Act 2020
Current as of 1 May 2026

The governance layer
for organisational
AI adoption.

Documented AI governance. Privacy Act obligations. Staff capability records. Policy version control. One operational environment for NZ organisations that need governance in place, not governance in progress.

Serious privacy breaches notified to the OPC rose 43% in 2024/25 — the highest on record. IPP 3A mandatory notification obligations in force 1 May 2026. Source: OPC Annual Report 2024/25 · Privacy Amendment Act 2025

Assess governance exposure → See the platform ↓
Privacy Act 2020 · Section 113
Privacy Amendment Act 2025 · IPP 3A
OPC 72-hour notification expectation
NZ-built · NZ law
43%
Rise in serious privacy breaches notified to the OPC in 2024/25. The highest on record.
OPC Annual Report 2024/25
72hrs
OPC expectation for notifiable breach reporting from the moment an organisation becomes aware.
OPC guidance · May 2024
$500k
Proposed personal director liability under Privacy Act reform currently before the NZ government.
Bell Gully · Director Liability Analysis · 2026
What ComplianceLayer is

AI governance infrastructure.
Not training software.
Not a policy generator.

Breach response records, board reporting, training completion evidence, and policy version control in one governance environment. Policies drift when ownership disappears. ComplianceLayer holds the structure when people change.

01
Breach response records
Timestamped incident triage from first awareness through OPC notification and board reporting
02
Policy version control
Privacy documents current to the Privacy Act 2020 and Privacy Amendment Act 2025, tracked and dated
03
Training completion evidence
Individual certification records and board-reportable evidence for staff capability
04
Onboarding continuity
Governance records that hold their structure when staff and leadership change
Operational reality

Incident timelines matter after disclosure.

The OPC assesses how an organisation responded, what records exist, and whether the response was timely. That assessment depends on what was documented before the incident occurred.

OPC breach notification guidance ↗
Policies drift when ownership disappears. A privacy policy assigned to a staff member who left carries no active owner. The obligation under the Privacy Act 2020 remains.
Completion records become fragmented. Staff capability evidence without individual certification records cannot be reported to a board accurately.
Board reporting depends on evidence quality. A board cannot govern what has not been measured. Governance posture requires records, not recollections.
The 72-hour expectation begins at awareness. Organisations without documented processes routinely miss it. Source: OPC Annual Report 2023/24.
The governance environment

Branded to the organisation.
Live on its own domain.

Each organisation operates its own branded environment on its own domain. Staff access their records directly.

organisation.compliancelayer.nz
ComplianceLayer governance environment
The platform

Three tools.
One governance environment.

Each organisation operates a configured environment on its own domain. Built to its structure, its industry, and current NZ law.

Incident response

BreachReady NZ

Structured triage from first awareness through OPC notification and board reporting. Every step timestamped. Notifiability assessed against section 113 of the Privacy Act 2020.

Built to Privacy Act 2020 · section 113 and OPC notification guidance · May 2024

Documented. Defensible. OPC-ready within 72 hours.
breachready · incident triage
Incident logged
25 May 2026 · 09:14
Notifiability
Assessment running
Section 113 threshold
Serious harm test applied
OPC notification
Ready to file
Board report
Generated
Policy management

PolicyLayer

Privacy policies and compliance documents aligned to the Privacy Amendment Act 2025, including IPP 3A in force 1 May 2026. Version controlled. Ownership assigned.

Aligned to the Privacy Amendment Act 2025 · IPP 3A in force 1 May 2026

Current as legislation changes. Version controlled.
policylayer · document status
Privacy policy
Current · v4.2
Terms of service
Current · v2.1
Cookie notice
Current
IPP 3A alignment
Verified · 1 May 2026
Legislation version
Privacy Amendment Act 2025
Staff capability

AiReady NZ

Twelve modules covering AI use, Privacy Act obligations, and safe practice in NZ workplaces. Individual certification records. Board-reportable evidence. Governance continuity when staff change.

Covers obligations under the Privacy Act 2020 and Privacy Amendment Act 2025 as they apply to AI use in NZ organisations

Completion records. Board evidence. Governance continuity.
aiready · workforce status
Modules available
12 of 12
Staff certified
24 of 26
Pending completion
2 staff · reminder sent
Board evidence
Report ready
NZ Privacy Act
Aligned
Assess governance exposure

Send a message.
A response within
24 hours.

No pricing on this page. That conversation happens directly. Send the organisation name and current situation. The right response follows.

Information handled under the NZ Privacy Act 2020. Invoiced through PureLayer Ltd.

Privacy Act 2020 ↗ Privacy Amendment Act 2025 ↗ OPC Breach Notification ↗ OPC Annual Report 2024/25 ↗ NZ Cyber Security Strategy 2026 ↗ Ministry of Justice · IPP 3A ↗