If your business runs credit checks, uses AML/CFT providers, receives information from lenders or insurers, or relies on referrals, there is a good chance you are already collecting personal information about clients from third parties.
From 1 May 2026, that becomes a much more important compliance issue.
What has changed
A new privacy rule means businesses that collect personal information about individuals from someone else may need to notify those individuals, unless an exception applies. In plain English, if you have been asking about your clients, rather than collecting the information directly from them, you may now need to tell them.
This is not a niche issue. It affects financial advisers, FAPs, mortgage and insurance brokers, and AML/CFT reporting entities. More broadly, it affects New Zealand businesses that collect personal information from third parties.
Why this is more involved than it looks
In practice, this is likely to require more than a quick update to your privacy policy. You may need to name specific providers, cover six disclosure points, and keep records. A line in a privacy policy is unlikely to be enough. In many cases, a better practical solution will be a well-drafted engagement letter clause supported by a named disclosure schedule.
That means many businesses may need to review more than one part of their process. Engagement letters, onboarding documents, referral processes, and the way information is handled for co-borrowers, guarantors, and existing clients may all need attention.
A practical webinar on what to do next
This is why Strategi Compliance is running a practical webinar on 15 April 2026.
The session is designed for business owners, senior managers, compliance officers, advisers, and other businesses that may be affected by the new rule. It will explain what has changed, who needs to comply, what needs to be done before 1 May 2026, and why this is more than just a technical privacy update. The focus is on implementation, not theory.
If you are not sure whether your current processes and documents already cover this, the honest answer for many businesses is probably no. This webinar is a practical way to understand where your business may be exposed and what needs to happen next.
Strategi is developing an IPP3A Implementation Kit for businesses that want help putting the required changes in place after the webinar. It will be available for $199 + GST and will include a plain English guide, ready-to-use wording for engagement documents, practical templates, and guidance notes. It is designed to help with the practical groundwork, but more complex situations may still need further support.
The first step is understanding the new privacy principle and what being ready by 1 May 2026 actually looks like.
Webinar details
Date: Wednesday 15 April 2026
Time: midday 12pm
Duration: 1 hour
Cost: $50 + GST
Register for the webinar and make sure your business is ready before 1 May 2026.