The data people who refuse to leave a mess behind.
Every system we deliver is aligned to the Australian Privacy Principles and Essential 8 Maturity Level 1 hygiene by default. If you need a penetration test or a 24/7 Security Operations Centre, we’ll introduce you to specialists.
Every engagement starts with a written data inventory: what you hold, where it lives, who can see it, and what risk that carries. That inventory is the baseline we measure against.
The most significant SMB privacy shift in a decade
The Privacy Act changed.
Most small businesses don’t know they’re now exposed.
The reform package that began phasing in from late 2024 has fundamentally changed commercial liability for Australian small business. If you handle customer data and you’ve been relying on the historical small business exemption — that defence is going away.
Statutory tort for serious invasions of privacy
Individuals can now sue businesses directly for serious privacy breaches — a new direct right of action that didn’t exist before. Customer lawsuits are now a realistic exposure.
Penalties up to A$50M per breach
For serious or repeated breaches. The penalty regime has been recalibrated to be punitive at the upper end. Insurance won’t cover wilful non-compliance.
Small business exemption sunsetting
The historical “under $3M annual turnover” exemption that excused most SMBs from APP obligations is being phased out. Broader obligations now apply progressively.
Notifiable Data Breach scheme tightened
Shorter notification windows, broader scope of what counts as notifiable, stricter “reasonable steps” obligation. Ignorance is no longer a defence.
Insurance + supplier pressure
Banks, large suppliers, and B2B customers are increasingly requiring privacy compliance attestation before contracting. Insurance premiums are jumping for businesses without documented posture.
What this means in practice
The bigger pressure isn’t the regulator. It’s your insurer and your B2B customers.
Regulator action is the headline risk, but the real-world pressure most SMBs will feel first is commercial. Insurance renewals now ask for evidence of privacy posture. B2B customers in professional services and supply chains increasingly require compliance attestation before signing contracts. Banks and lenders are asking the same questions during finance applications. Without documented posture, you risk losing contracts and paying higher premiums — long before you ever hear from the OAIC.
What “documented posture” actually looks like: a written data inventory, a scored baseline against the Australian Privacy Principles, evidence of reasonable steps (MFA, RBAC, vendor register, breach plan, training records), and a current Statement of Posture you can hand to an insurer or auditor. That’s what the Privacy Health Check and the Data Posture Snapshot produce.
What “baked in” actually means
Six controls we apply on every engagement — not optional extras, not an upsell. The standard of work.
MFA enforced everywhere
Multi-factor authentication on every tenant we configure — Microsoft 365, Google Workspace, DSConnect, and every third-party admin console. No exceptions for "just the owner."
Admin separation
Admin accounts are not day-to-day accounts. Privileged actions are auditable, not buried in the same login your team uses for email.
Role-based access
Your sales team sees sales data. Payroll sees payroll. Documented, reviewable, and tightened whenever roles change.
Vendor & processor register
Every third-party app your data touches — Zapier, Make, integrations, marketing tools — is listed with what it accesses and what it does with the data.
Quarterly access reviews
Joiners, movers, leavers, and stale accounts. We catch the contractor who finished six months ago and still has admin rights.
Offboarding hygiene
When a staff member or vendor leaves, access is revoked cleanly with an audit trail. Not a sticky note that says "deal with that later."
What we don’t do
Being loudly honest about this is the whole point. If you need any of the below, we’ll introduce you to specialists we trust.
Penetration testing
External attack-surface testing belongs with specialists who do it daily.
24/7 Security Operations Centre
Threat monitoring and active response is a different discipline with different staffing.
Incident forensics
If something has already gone wrong and you need investigation-grade analysis, you need a forensic specialist, not us.
ISO 27001 certification audits
Formal certification work is done by accredited auditors. We will help you prepare for one if that’s your goal.
Specialist partner introductions available on request.
We eat our own cooking
We hold our own systems to the same standard we hold yours. We measure ourselves on the same controls we configure for clients — and we’ll publish the current numbers here once they’re baselined and dated.
Until then, ask in your discovery call and we’ll walk you through where we currently sit.
What we measure on ourselves
- Multi-factor authentication coverage across staff and contractors
- Patching cadence on every tenant and endpoint
- Vendor list and processor terms
- Access reviews — last run, next due
Numbers published here once baselined.
Not sure where you sit?
Start with a free 5-minute self-assessment.
Ten honest questions across five areas — access, data quality, resilience, privacy, and people. Get a scored picture of your current posture and a personalised next step. No payment, no sales script.
Productised entry points — documented posture, fast
Get the evidence your insurer or B2B customer will ask for.
Two paid ways to produce documented Privacy Act posture. Pick the one that matches how much evidence you need.
Entry tier · Privacy Act 2024-aligned
Privacy Health Check
From $895
60-minute structured review
A scorecard against the Australian Privacy Principles and Essential 8 Maturity Level 1, with the top three actions to fix first. Designed for businesses being asked for evidence by an insurer, lender, or B2B customer for the first time.
When to book this: insurance renewal, new B2B contract under review, or you’ve realised the small business exemption no longer covers you.
- —1-page Statement of Posture you keep
- —Top three prioritised actions
- —60-minute call with one of our team
- —Suitable to share with insurer or auditor
Full engagement · Defensible written posture
Data Posture Snapshot
From $2,950
1–2 weeks
A fixed-fee deep-dive that produces the documented data inventory, scored baseline, and remediation roadmap your insurer, auditor, or B2B customer is about to ask for.
When to book this: you handle sensitive customer data, you want a defensible posture document on file, or you need to act on Privacy Act 2024 obligations comprehensively rather than in patches.
- —Written data inventory — what you hold, where, who can access it
- —Full Australian Privacy Principles and Essential 8 Maturity Level 1 baseline score
- —Prioritised remediation roadmap (do-it-yourself or have us do it)
- —Follow-up call to walk you through the findings
Common questions
Do the Privacy Act 2024 reforms actually apply to my small business?
Yes — progressively. The historical small business exemption (under $3M annual turnover) is being phased out. The reforms apply across multiple commencement dates through 2025-26, with broader obligations applied to more businesses each phase. Even if your direct regulatory exposure is partial, the downstream pressure — insurance renewals, B2B supplier audits, lender finance applications — is already real for most SMBs that hold any customer data. The bigger question isn’t whether the rules apply; it’s whether you can demonstrate posture when someone asks.
We’re a small business — what’s the realistic worst-case if we just don’t act?
Three layered risks. First: an insurance renewal where you can’t demonstrate posture, and your premium jumps or your cover excludes privacy claims. Second: a B2B customer or supplier asks for compliance attestation before contracting, and you lose the work because you can’t produce one. Third (less likely but now possible): the new statutory tort lets an individual sue you directly for a serious breach, with penalties up to A$50M per serious breach. The first two will hit most businesses long before the third.
Is this enough for NDIS, health, or finance-adjacent data?
For most small businesses handling sensitive data, our baseline plus a documented breach-response plan covers the duty-of-care basics under the Australian Privacy Act. For formal certification (HDS, ISO 27001, IRAP), you need an accredited specialist — we’ll introduce you to one and work alongside them.
Do you sign Data Processing Agreements?
Yes. A Data Processing Agreement is a standard part of every engagement that involves customer or employee data.
What if we already have a cyber provider?
Even better. We deliver the systems, they handle threat monitoring and incident response. We exchange data inventories and access registers so nothing falls through the cracks between us.
Why not just call yourselves a cyber firm?
Because we’re not one. We don’t run a 24/7 Security Operations Centre and we don’t do penetration tests — those are specialist disciplines, and the people who do them well do them full-time. What we focus on is making sure the system you run every day isn’t the reason an incident happens in the first place.
Stop wondering where your data lives.
A Data Posture Snapshot gives you a written inventory, a scored baseline, and a prioritised remediation roadmap in 1–2 weeks.
Book a Data Posture Snapshot