Privacy and cyber security

Our cross-practice team helps clients comply with privacy laws, and plan for, and respond to, data breaches and security incidents.


We work closely with clients to develop compliance strategies

We understand how important and valuable the data held by our clients (including personal information) can be. We know the responsibilities that an organisation takes on when it collects and uses that data.

The legal, financial and reputational risks associated with privacy and cyber issues can be significant. The need for organisations to understand and meet their legal obligations has never been greater.

We can help you protect personal information and mitigate risk

The wide range of skills in our privacy and cyber security team enables us to understand how personal information fits in to your sector, and what the risks may be.

Our team brings together experts from the following practice areas:

  • Technology
  • Employment
  • Healthcare
  • Commercial
  • Public law
  • Payments.

We can help at every stage of the data lifecycle

We advise clients at all stages of the data lifecycle:

  • Carrying out privacy impact assessments before implementing new systems or collecting or using data in new ways (including data analytics)
  • Responding to Official Information Act, Local Government Official Information and Meetings Act (LGOIMA) and Privacy Act access requests
  • Meeting data retention and Public Records Act requirements
  • Establishing data governance policies (including in relation to the use of AI tools) and advising on the procurement and implementation of data governance tools
  • Dealing with privacy breaches, security incidents, complaints and investigations.

We have international data privacy expertise

We have a background in EU Data Protection law. We regularly advise international clients and law firms on New Zealand privacy law within a global compliance framework.

We have contributed to the New Zealand chapters of several guides and publications on international data protection and work closely with local privacy experts in other jurisdictions.

How we help clients

We advise on:

  • The implications of General Data Protection Regulation (GDPR) for New Zealand businesses
  • Providing or using cloud services involving significant data
  • Launching new data-driven business models and marketing activities
  • Transferring of customer databases following insolvency or as part of business acquisitions
  • Data matching
  • Generating insights and analysis from big data
  • Data governance issues
  • Preparing for, and responding to, data breaches and security incidents.

We also advise clients in the health sector on:

  • Compliance with the Health Information Privacy Code
  • Implementation of clinical management systems
  • Handling of patient and clinical information.

Our employment experts advise on privacy issues in relation to:

  • Recruitment
  • Use of HR information systems
  • Drug and alcohol testing
  • Disciplinary processes
  • Employee investigations and disputes.
  • Tier 1 - Data Protection - Legal 500 Asia-Pacific

Work highlights

Cyber attacks

Advising an online learning platform on New Zealand privacy breach reporting obligations following a malware attack, and a New Zealand bank on the Reserve Bank Accellion system hack.

Compliance documentation

Advising a major telecommunications company on a refresh of all internal privacy compliance documentation.

Data deletion and retention

Advising various businesses and public entities on data deletion and retention requirements under the Privacy Act and sector-specific data retention obligations.

Cyber Incident Response Plan

Assisting a private equity business to develop a Cyber Incident Response Plan for its New Zealand portfolio companies.

Data governance

Advising a large New Zealand state sector organisation on its procurement and implementation of a data governance tool (including the use of AI capability as part of the tool).

Cyber insurance

Advising a major utilities company on the coverage of its cyber insurance policy.

Our team

Allan Yeoman

Partner, Auckland

Allan is a partner in Buddle Findlay's Technology, Media and Telecommunications (TMT) team. He specialises in providing…

Email Allan Yeoman

Amy Ryburn

Partner, Wellington
Board of Management

Amy specialises in commercial law. She advises on a range of commercial matters but has a particular focus on technology, media and…

Email Amy Ryburn

Hamish Kynaston

Partner, Wellington

Hamish specialises in employment relations, litigation, health law, health and safety, and education…

Email Hamish Kynaston

Natasha Wilson

Partner, Wellington

Natasha is a partner in our public law team in Wellington, and has extensive experience in the health, education, and science and…

Email Natasha Wilson

Peter Chemis

Partner, Wellington

Peter specialises in employment law, industrial relations and related areas, and leads Buddle Findlay’s national employment team…

Email Peter Chemis

Philip Wood

Partner, Auckland

Philip specialises in providing commercial, IT, telecommunication, media and television/film sector advice including strategic advice…

Email Philip Wood

Renee Stiles

Partner, Wellington

Renee is a member of our Wellington corporate and commercial team, specialising in commercial contracting, information and…

Email Renee Stiles

Sherridan Cook

Partner, Auckland
Board of Management

Sherridan specialises in advocacy and commercial litigation, with considerable expertise and experience in…

Email Sherridan Cook

Susie Kilty

Partner, Wellington

Susie specialises in competition, fair trading, overseas investment consents and economic regulation, particularly of infrastructure in…

Email Susie Kilty