Data Retention Policy In New Zealand: Why You Need One And How To Create It

If you run a small business in New Zealand, you’re probably collecting more information than you realise. Customer names, emails, invoices, CCTV footage, website analytics, employee records, supplier contracts - it adds up quickly.

That’s where a data retention policy comes in. It’s a practical document that helps you decide what information you keep, how long you keep it for, where you store it, and how you safely delete it when you no longer need it.

When your processes are clear from day one, you reduce the risk of privacy breaches, you stay organised, and you’re in a much better position if something goes wrong (like a customer asking for their data, or your business experiencing a cyber incident).

What Is A Data Retention Policy?

A data retention policy is a written set of rules your business follows for:

• What data you collect (and why you need it)
• Where that data is stored (systems, devices, cloud platforms, paper files)
• How long you keep it (and how you decide that timeframe)
• Who can access it (and how access is controlled)
• How you securely dispose of it when it’s no longer needed

In practice, it’s a “house rules” document for information in your business. It should cover both:

• Customer data (e.g. contact details, order history, support requests, marketing lists)
• Business and internal data (e.g. payroll, HR files, contracts, financial records, internal emails)

A data retention policy is closely connected to (but not the same as) your public-facing Privacy Policy, which tells customers what you collect and why. Your retention policy is more operational - it tells your team what to do behind the scenes.

Why Do NZ Small Businesses Need A Data Retention Policy?

It’s tempting to think data retention policies are only for “big corporates”. But in reality, small businesses often have more risk because processes can be informal and spread across different people and systems.

Here are the main reasons a data retention policy matters.

1. It Helps You Comply With The Privacy Act 2020

Under New Zealand’s Privacy Act 2020, businesses that collect and hold personal information have to manage it responsibly. In particular, Information Privacy Principle 9 (IPP 9) says you generally shouldn’t keep personal information for longer than is required for the purposes for which it may lawfully be used.

In plain terms: if you’re holding personal information “just in case”, you may be creating unnecessary privacy risk.

A data retention policy helps you build privacy compliance into your day-to-day operations, including how you respond to requests and how you minimise harm if a system is compromised.

2. It Reduces Your Risk If There’s A Data Breach

Data breaches aren’t just a “tech problem” - they’re a business risk problem.

If a laptop is lost, an email account is hacked, or an online system is compromised, the impact is usually worse when:

• you’ve kept years of information that no longer serves a purpose
• data is stored across multiple locations (devices, inboxes, shared drives, personal phones)
• it’s unclear who has access and why

Retention is a form of risk management. The less unnecessary personal information you keep, the less there is to expose.

3. It Makes Your Business More Efficient (And Easier To Scale)

Even without legal pressure, good retention practices save you time and money. When staff know what to keep and where, you avoid:

• searching through old folders and inboxes for the “right” version of a document
• multiple duplicates of sensitive files stored in the wrong places
• unstructured offboarding when staff leave (and take business data with them)

This becomes even more important when you hire, expand, or start outsourcing tasks to contractors.

4. It Supports Your Contracts And Dispute Readiness

Sometimes you genuinely need to keep certain records, because they’re evidence of what happened - especially if a customer complains, you’re dealing with a chargeback, or there’s a supplier dispute.

A good retention policy helps you strike the balance between:

• keeping what you need for business continuity and legal compliance, and
• deleting what you don’t need to reduce privacy and cyber risk

This is particularly relevant if your business relies on written agreements and ongoing service arrangements. For example, if you use a Service Agreement with clients, you’ll want a clear approach to storing signed copies, statements of work, invoices, and key communications.

What Types Of Data Should Your Data Retention Policy Cover?

A strong data retention policy isn’t just about customer emails. It should cover the real-world categories of data your business holds.

Common categories for NZ small businesses include:

Customer And Marketing Data

• customer profiles (name, email, phone, address)
• order history and transaction records
• customer support tickets, complaints, and refunds
• marketing lists and subscription preferences
• website analytics data and cookie-related data

Employee And HR Data

• job applications and CVs
• signed Employment Contract records
• payroll and leave records
• performance management documents
• incident and health and safety records

Financial And Tax Records

• invoices and receipts
• banking records
• GST and tax-related documentation
• expense claims

Operational And Security Data

• CCTV footage (if you use cameras in the workplace)
• building access logs and security logs
• device records and system audit logs
• call recordings (if your business records calls)

Business Governance And Legal Documents

• company registers, resolutions, and key governance documents
• important contracts with suppliers and customers
• IP ownership records (assignments, licences)
• dispute and complaint files

Not every business will have all these categories, but most will have at least a few. The key is to map your actual data flows (what you collect, where it goes, and who touches it).

How Long Should You Keep Data In New Zealand?

This is the question most business owners ask first - and it’s also where things can get tricky, because the “right” retention period depends on:

• why you collected the information in the first place
• what laws apply to your industry and record types
• what you need to run your business effectively
• what you may need if there’s a complaint or dispute later

As a general rule, retention should be purpose-based. If you no longer need the personal information for the purpose you collected it for (and you’re not legally required to keep it), you should consider deleting it or de-identifying it.

Common Retention Considerations (In Plain English)

Here are examples of how small businesses often set retention periods:

• Financial and tax records: Inland Revenue generally expects businesses to keep tax records for 7 years (for example, to support income tax and GST positions). This is a common baseline, but your situation can differ - check IRD guidance and speak to your accountant for tax-specific advice.
• Customer support records: retained long enough to manage complaints, warranties, refunds, and service issues.
• Marketing consents: retained while the person is subscribed and for a reasonable period after unsubscribing (depending on your marketing practices and compliance needs).
• CCTV: often retained for a short operational timeframe unless it’s needed for an incident investigation.
• Job applicant data: retained for a limited time unless the applicant consents to being kept on file.

Because different laws can apply depending on your situation, it’s worth getting advice that reflects your business model, what you collect, and your real risk profile. (And where tax recordkeeping is involved, it’s best to confirm requirements with IRD guidance and/or your accountant.)

How Do You Create A Data Retention Policy? (A Step-By-Step Guide)

You don’t need to overcomplicate it - but you do need to be intentional. Here’s a practical way to build a data retention policy that actually works in your business.

1. List What Data You Collect (And Where It Comes From)

Start with a simple data inventory. For each category of data, write down:

• what the data is (e.g. customer email addresses)
• how you collect it (website checkout, enquiry form, in-store, phone)
• where it’s stored (CRM, email inbox, spreadsheet, accounting software)
• who has access (roles, not just names)

This step alone often reveals hidden risks, like customer data stored in personal inboxes or on unmanaged devices.

2. Define The Purpose For Each Data Category

For each type of information, be clear about why you keep it. For example:

• to fulfil orders and provide customer support
• to comply with tax obligations
• to send marketing communications (with consent where required)
• to maintain workplace safety records

This matters because purpose drives retention. If the purpose ends, retention should usually end too.

3. Set Retention Periods (And Write Down The Reasoning)

Your policy should specify retention periods in a way that your team can follow. You can do this in a simple table format, for example:

• Data type
• Owner (who is responsible for managing it)
• Storage location
• Retention period
• Disposal method

It’s also smart to note the reason (e.g. legal obligation, warranty period, operational requirement). That way, if you revisit the policy later, you’ll remember why those timeframes were chosen.

4. Decide How Data Will Be Stored Securely During The Retention Period

A retention policy isn’t just about “how long”. It also needs to cover safe handling while the data exists.

Typical controls include:

• role-based access (only the people who need access have it)
• multi-factor authentication on systems that store personal information
• encrypted storage for sensitive records
• clear rules about downloading data to personal devices
• secure storage for paper records (locked cabinets, controlled keys)

This is where your retention policy starts to overlap with broader privacy governance and internal policies (like IT security or workplace policies). If you’re collecting personal information, it’s also important that your external-facing documents match your internal practices, including your Privacy Collection Notice.

5. Set A Clear Deletion And Disposal Process

This is the step many businesses forget. If your retention policy doesn’t say how to dispose of data, people won’t do it consistently.

Your policy should cover:

• who deletes data (role/position)
• when deletion happens (e.g. monthly/quarterly review)
• how deletion happens (system delete, secure wipe, archive rules)
• how paper records are destroyed (e.g. cross-cut shredding, secure destruction provider)
• what to do with backups (and how long backups are kept)

Be realistic: if you set rules your team can’t follow, your policy won’t be used. The best policy is the one that fits your systems and day-to-day workflows.

6. Build In A Process For Privacy Requests And Incidents

A good data retention policy should connect to how you deal with:

• requests for access to personal information
• requests to correct personal information
• complaints about privacy handling
• suspected data breaches

Even if you’re not dealing with these issues every day, having a plan helps you respond faster and more confidently. Many businesses also keep a simple incident playbook alongside the retention policy, so everyone knows what to do if something goes wrong.

7. Train Your Team And Review The Policy Regularly

A data retention policy is only effective if people follow it.

That means:

• training staff who handle customer and employee data
• including retention in onboarding and offboarding checklists
• reviewing the policy when systems change (new CRM, new HR tool, new storage platform)
• reviewing at least annually as your business grows

If your business engages contractors or external service providers who handle personal information on your behalf, you’ll also want the relationship documented properly (including responsibilities for retention and deletion). This is often managed through a contract framework, such as a Data Processing Agreement.

Key Takeaways

• A data retention policy sets out what data your business keeps, where it’s stored, who can access it, how long it’s retained, and how it’s securely deleted.
• Having a clear retention policy supports compliance with the Privacy Act 2020 (including IPP 9) and helps you avoid holding personal information longer than you need it.
• Good retention practices reduce your exposure if there’s a privacy incident or cyber security event, because you’re not storing unnecessary data.
• Your policy should cover practical categories like customer data, marketing lists, HR records, financial records, contracts, and security data (like CCTV if you use it).
• The best retention periods are purpose-based - you should keep information only for as long as you need it for the reason it was collected, unless a legal obligation requires longer.
• A workable policy includes a clear deletion process, assigns responsibilities, and is regularly reviewed and followed by your team.

If you’d like help putting together a data retention policy (and making sure it aligns with your wider privacy obligations and day-to-day business operations), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.