Australia’s Privacy Act is getting a significant overhaul, and if you run a small business, the changes are going to affect you - possibly for the first time.

Let me cut through the legal jargon and explain what actually matters.

What’s Changing?

The Privacy Act reforms have been in the works since the Attorney-General’s review in 2022. The government’s been slowly implementing recommendations, and 2025 is bringing several significant changes:

Expanded coverage. The small business exemption that currently shields businesses with annual turnover under $3 million is being tightened. While it won’t disappear entirely, more businesses will find themselves covered.

Stricter consent requirements. The definition of “consent” is getting tighter. Pre-ticked boxes, buried privacy policies, and vague collection statements won’t cut it anymore.

New individual rights. People will have stronger rights to access, correct, and erase their personal information. You’ll need processes to handle these requests.

Higher penalties. Maximum penalties for serious breaches are increasing substantially. We’re talking millions of dollars for serious or repeated violations.

Mandatory privacy impact assessments. Certain high-risk processing activities will require formal assessments before you start.

Does This Apply to My Business?

Currently, the Privacy Act’s small business exemption means many SMBs aren’t covered. But the exemption has significant exceptions:

You’re already covered if you:

• Provide health services
• Trade in personal information
• Are a contracted service provider to the Commonwealth
• Operate a residential tenancy database
• Have opted in to coverage

The reforms are likely to narrow the exemption further. Even if you’re technically exempt now, treating personal information responsibly is good practice - and might be legally required sooner than you think.

And regardless of federal privacy law, there’s the Notifiable Data Breaches scheme, which already applies to many businesses.

The Notifiable Data Breaches Scheme - A Reminder

Since 2018, businesses covered by the Privacy Act must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when there’s an eligible data breach.

An eligible breach means:

• Unauthorised access, disclosure, or loss of personal information
• That a reasonable person would conclude is likely to result in serious harm
• And the organisation hasn’t been able to prevent the serious harm through remedial action

The notification must happen “as soon as practicable” and no later than 30 days after becoming aware.

Failing to notify a qualifying breach can result in significant penalties. The OAIC has been increasingly active in enforcing this.

Practical Steps for SMBs

Whether or not you’re currently covered, these changes are a good prompt to get your data practices in order.

1. Know what data you hold. You can’t protect what you don’t know about. Audit your systems:

• What personal information do you collect?
• Where is it stored?
• Who has access?
• How long do you keep it?
• When and how is it deleted?

2. Review your privacy policy. If your privacy policy is a template you copied years ago, it probably needs updating. It should clearly explain:

• What you collect and why
• How you use and share it
• How people can access or correct their information
• How to make a complaint

Make it readable. Legal boilerplate that nobody understands doesn’t count as transparency.

3. Establish consent practices. Are you collecting information with genuine, informed consent? Or are you burying it in terms and conditions nobody reads?

Consider:

• Clear, plain English explanations at the point of collection
• Active opt-in rather than pre-checked boxes
• Easy ways to withdraw consent

4. Build a breach response capability. If you suffer a data breach, you need to be able to:

• Detect it quickly
• Assess whether it’s notifiable
• Notify the OAIC and affected individuals within required timeframes
• Document the breach and your response

Your incident response plan should include a section specifically for privacy breaches.

5. Train your staff. Everyone who handles personal information needs to understand:

• What counts as personal information
• How to handle it appropriately
• What to do if they suspect a breach
• Who to report concerns to

Common Privacy Mistakes SMBs Make

Keeping data forever. You don’t need customer records from 2015. Old data is a liability, not an asset. Define retention periods and stick to them.

Sharing data without thinking. Before you give customer information to a third party - whether that’s a marketing tool, a subcontractor, or a business partner - consider whether you have the right to share it and whether you’ve disclosed that sharing.

Weak access controls. Does everyone in your business have access to all customer data? They shouldn’t. Implement need-to-know access.

No breach detection. If someone accessed your customer database without authorisation, would you know? How quickly?

Ignoring subject access requests. When someone asks to see what data you hold about them, you can’t just ignore it. Have a process for handling these requests.

The Intersection With Cybersecurity

Privacy and security are deeply connected. Most data breaches result from security failures:

• Compromised credentials leading to unauthorised access
• Ransomware exposing or stealing personal information
• Phishing attacks targeting data-rich systems
• Unpatched vulnerabilities being exploited

Implementing the Essential Eight maturity controls isn’t just about protecting your systems - it’s about protecting personal information and meeting your privacy obligations.

MFA prevents credential compromise. Patching closes vulnerability gaps. Backups let you recover without paying ransoms that might fund further data exposure.

What About AI?

An emerging area: the reforms are also looking at how AI uses personal information. If you’re using AI tools that process customer data, you’ll need to consider:

• What data the AI is trained on or has access to
• Whether customers have consented to AI processing
• Whether you’re using AI for automated decision-making that affects people
• Where the data goes when you use cloud AI services

The rules here are still developing, but the direction is toward more disclosure and more consent requirements.

Getting Help

Privacy compliance isn’t simple, but it’s manageable. For small businesses:

The OAIC publishes excellent guides specifically for small business: oaic.gov.au

Your industry association may have privacy resources tailored to your sector.

A privacy consultant can help with audits and compliance programs if you need hands-on assistance.

Your lawyer should review your privacy policy and help you understand your specific obligations.

The reforms are pushing Australian businesses toward better data practices. You can see it as a burden, or you can see it as an opportunity to build trust with your customers.

People care about their privacy. Businesses that demonstrate they take it seriously will have an advantage over those that treat it as an afterthought.

Start now, before the changes force your hand.