Businesses are being advised to get up to speed with changes to the Privacy Act, which come into effect on 1 December.
The new law would require businesses, sports clubs and other organisations that collect personal data to have a privacy policy and officer in place.
The new Act gives the Office of the Privacy Commissioner significant powers of enforcement.
The director of operations at the business advocacy group New Zealand Business Tools, Stephen Conti, said the changes have received an underwhelming level of publicity.
He said this was concerning because of the penalties organisations might incur if they do not follow the new rules.
"The new legislation does give more power to the Privacy Office, certainly things that were optional before are now mandatory such as the reporting of a privacy breach that has caused serious harm, if that isn't reported through the correct channels and the privacy commission find out about it, it will be a $10,000 fine. "
Conti said that simple, innocent acts by an employee could become a serious risks.
"Just look at the guard who posted a selfie from the quarantine facility he was working in, but wasn't aware of a list of names and details in the background. As a result, the employee and the company got into all kinds of trouble."
He said businesses needed to look at their privacy policies and put measures in place to keep themselves and their customers' data safe.