Privacy Baseline Checklist (Plain English)
A practical, vendor-neutral baseline for handling customer and staff data - designed for NZ small businesses.
Compliance Governance Risk
How to use this
- Start with the data map (top 5 systems is enough).
- Define retention and restrict access to reduce risk.
- Keep a one-page incident plan so you’re not improvising under pressure.
Tip: You don’t need perfect. You need a repeatable baseline and evidence it’s working.
Privacy baseline (SME-friendly)
- Data map: list where customer/staff data lives (email, files, CRM/accounting, HR).
- Purpose: for each dataset, record why you hold it (and who owns it).
- Retention: define how long you keep it; stop “keep everything forever”.
- Access control: restrict sensitive data to need-to-know; review access quarterly.
- Backups: confirm backups are secured and access is restricted (backups often contain everything).
- Third parties: track vendors who can access personal data and review access regularly.
- Incident plan: one-page plan for what to do if data is exposed (owner, steps, evidence, notifications).
Data map template (copy/paste)
| System / location | Data types | Owner | Who has access? | Retention | Notes |
|---|
| Email | Customer comms, invoices, staff info | | | | |
| Shared drive / cloud storage | | | | | |
| CRM / accounting / payroll | | | | | |
What good looks like (evidence you can show)
- A basic data map exists and is maintained (top 5 systems is enough).
- Retention periods are defined for key record types.
- Access reviews occur quarterly (even if lightweight).
- An incident response owner is nominated and the one-page plan exists.
Common gotchas
- Personal data lives in ad-hoc spreadsheets and inboxes (hard to control, easy to leak).
- Shared folders have “everyone” access for convenience.
- Old records are kept indefinitely with no reason or policy.
- Vendor access exists but no one can answer “who has access?” quickly.
Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.
👉 Free 30-minute consultation
No hard sell - just clarity and practical next steps.
hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)
Book now