The most significant SMB privacy shift in a decade

The Privacy Act changed.
Most small businesses don’t know they’re now exposed.

Royal Assent 10 December 2024. Statutory tort live since 10 June 2025. First A$5.8M civil penalty handed down October 2025. OAIC proactive compliance sweep launched January 2026. The reforms are no longer theoretical.

The bigger commercial pressure isn’t the regulator — it’s your insurer and your B2B customers asking for evidence of posture at renewal and contract review. Most SMBs are about to be asked questions they can’t currently answer.

Take the free Readiness Quiz →Book a Privacy Health Check ($895)

What changed

The five reforms that matter for small business

The reform package contained many changes; these are the five with the most material commercial impact for SMBs.

01

Statutory tort for serious invasions of privacy

Live since 10 June 2025. Individuals can now sue businesses directly for serious privacy breaches without waiting for OAIC action. The first case under the new tort — Kurraba Group v Williams [2025] NSWDC 396 — was filed within months of commencement. Crucially, the tort applies regardless of the small business turnover exemption: even SMBs under A$3M can be sued by customers.

Impact

Customer lawsuits are no longer hypothetical — they are a live exposure.

02

Penalties recalibrated — A$50M, 3× benefit, or 30% of turnover

For serious or repeated breaches, the maximum civil penalty is now the greater of A$50 million, three times the benefit obtained from the contravention, or 30% of adjusted turnover during the contravention period. The OAIC also gained new infringement-notice powers of up to A$66,000 per contravention for less-serious matters — enforcement against smaller incidents is now economically viable.

Impact

Both the ceiling and the floor of regulator-led penalties have moved.

03

First precedent already set — Australian Clinical Labs (Oct 2025)

ACL was hit with a A$5.8 million civil penalty in October 2025 — the first contested civil penalty action under the reformed Act. The judgment broke down as A$4.2M for failure to take reasonable steps to protect personal information, A$800k for inadequate assessment of the breach, and A$800k for failure to notify in time. The pattern matters: the security failure, the assessment failure, and the notification failure each attract separate penalties.

Impact

Reasonable steps + breach assessment + timely notification are now scored independently.

04

Small business exemption under active review

The under-A$3M turnover exemption still currently shields ~95% of Australian businesses from direct Privacy Act obligations — and is widely expected to be removed in the next reform tranche, with the Government having already committed to its removal in principle. The combination of the statutory tort (which ignores the exemption), insurance and B2B pressure (which ignores it commercially), and the looming legislative change makes the exemption an increasingly thin shield.

Impact

The "we’re too small to worry" position is eroding from multiple directions.

05

OAIC moving from reactive to proactive — first compliance sweep Jan 2026

The OAIC launched its first ever active compliance sweep in January 2026, focused on privacy policy adequacy and consent practices. Combined with the new infringement-notice powers, this represents a structural shift: the regulator no longer waits for a notifiable breach to look at your privacy posture — it can now actively review and penalise without a triggering incident.

Impact

Privacy posture is now subject to spot review, not just incident-driven enforcement.

What is already in force

The commencement timeline

Most of the reform package is no longer hypothetical. Royal Assent was December 2024; the first civil penalty has already landed.

  1. 10 Dec 2024

    Royal Assent

    The Privacy and Other Legislation Amendment Act 2024 received Royal Assent — the biggest privacy reform package since the original 1988 Act.

  2. 10 Jun 2025

    Statutory tort commenced

    Serious invasions of privacy tort took effect. First case (Kurraba Group v Williams) filed within months. Applies to small businesses currently exempt from the Act.

  3. Oct 2025

    First civil penalty — A$5.8M

    Australian Clinical Labs hit with the first contested civil penalty under the reformed Act: A$4.2M security + A$800k assessment + A$800k notification.

  4. Jan 2026

    OAIC compliance sweep launched

    First ever proactive OAIC compliance sweep — privacy policies and consent practices reviewed without a breach trigger. Infringement notices to A$66,000 per contravention.

  5. 2026 onward

    Small business exemption review

    Removal of the under-A$3M turnover exemption is the headline item in the next legislative tranche; timing not yet fixed but the policy direction is committed.

First contested civil penalty

A$5.8 million. Three separate failures. One judgment.

Australian Clinical Labs, October 2025. The first contested decision under the reformed Privacy Act tells you exactly how breaches are now scored.

A$4.2M

Reasonable steps failure

Inadequate security controls to protect the personal information it held.

A$800k

Assessment failure

Inadequate assessment of whether the incident was a notifiable breach.

A$800k

Notification failure

Failure to notify affected individuals and the OAIC within the required timeframe.

The structural takeaway for SMBs: prevention, assessment, and notification are now three separate obligations. You can’t recover from a security gap by handling the response well, and you can’t recover from a slow response by claiming the security itself was reasonable.

The real-world pressure

The bigger pressure isn’t the regulator. It’s your insurer.

Regulator action is the headline risk, but the real-world pressure most SMBs will feel first is commercial.

A$467M

Australian cyber insurance gross written premium, 2025

15–20%

S&P Global forecast premium increase for 2026

82%

of denied cyber claims in 2024–25 involved organisations without full MFA

99%

of 2025 cyber insurance applications now include explicit MFA questions

Insurance renewals

Brokers and underwriters are now actively asking for evidence of privacy posture at renewal. Without documented posture, premiums are jumping — and some insurers are excluding cyber/privacy claims entirely for non-compliant SMBs. This pressure is hitting buyers before regulator action does.

B2B supplier audits

Larger customers (especially in professional services, healthcare, government supply chains, and finance) are increasingly requiring privacy compliance attestation as part of procurement. Without one, you can lose tenders and contracts — and not be told why.

Bank and lender finance applications

Some banks and lenders are now including privacy posture questions in business loan applications, particularly for businesses handling customer data. Weak posture can complicate or delay finance.

Litigation precedent forming

The first serious-case litigation under the new statutory tort is happening now, with another wave expected through late 2026. Legal precedent is being set right now, which makes the next round of cases easier and more numerous.

Sources: Coalition 2024 cyber insurance data · Marsh McLennan 2025 Cyber Insurance Market Report · S&P Global 2026 forecast.

Where you sit on the exposure ladder

Who’s actually affected

The phased nature of the reforms means different sectors are affected differently. The pattern below is the realistic 2026 picture.

Almost certainly applies to you

  • Allied health (physio, psych, dietitians, podiatry)
  • NDIS providers and aged care
  • Legal, accounting, financial advice
  • Recruitment and labour hire
  • Medical, dental, and specialist practices
  • Any business storing health, financial, or identification data

Increasingly applies — even if you thought you were exempt

  • Trades (plumbing, electrical, building) — customer data + invoicing
  • Retail with loyalty programs or customer accounts
  • Hospitality with bookings + payment data
  • Manufacturers with B2B customer records
  • Real estate agencies
  • Consultants holding any customer-identifiable data

Lower direct exposure — but still feeling downstream pressure

  • Sole-trader services without staff data or customer records
  • Businesses with no online presence and no third-party data processors
  • Businesses whose contracts don’t require attestation

What to do — three steps

Start where you are. Move up as the pressure grows.

Three options. Pick where you actually need to be — most businesses start with the free Readiness Quiz.

Step 1

Free

Start free — Privacy Act Readiness Quiz

Five minutes. Ten honest questions across knowledge, documentation, incident readiness, vendor hygiene, and external pressure. You get a scored picture of your current exposure and a recommended next step. No payment, no sales call required.

Take the Readiness Quiz

Step 2

From $895

Privacy Health Check

Structured 60-minute review against the Australian Privacy Principles and Essential 8 Maturity Level 1. We produce a 1-page Statement of Posture you can hand to an insurer, auditor, or B2B customer who’s asking for evidence. Top three prioritised actions included.

Book a Privacy Health Check

Step 3

From $2,950

Data Posture Snapshot

A 1–2 week fixed-fee deep-dive that produces the full documented data inventory, scored APP and Essential 8 baseline, prioritised remediation roadmap, and a defensible written posture suitable for serious compliance review. The complete evidence package.

Book a Snapshot

All three steps are designed to build on each other. The Readiness Quiz takes 5 minutes and recommends which paid step (if any) is the right fit for your situation.

Common questions

When do the reforms actually apply to my business?
Most of the reforms are already in force. Royal Assent was 10 December 2024. The statutory tort commenced 10 June 2025 — and importantly, it applies regardless of the small business exemption, so customers can sue you directly even if you are under the A$3M turnover threshold. The recalibrated A$50M / 3× benefit / 30% of turnover penalty regime is live. The OAIC began its first proactive compliance sweep in January 2026. The remaining open question is the timing of the small business exemption removal itself, which is committed in principle but not yet legislated. The safe assumption: if you hold any customer data, the regulatory and commercial pressure is already on.
What is the Australian Clinical Labs case, and why does it matter for SMBs?
In October 2025 the OAIC secured a A$5.8 million civil penalty against Australian Clinical Labs — the first contested civil penalty under the reformed Privacy Act. The judgment broke down as A$4.2M for failing to take reasonable steps to protect personal information, A$800k for inadequately assessing the breach, and A$800k for failing to notify in time. The reason it matters for SMBs is the structure: each of the three failures was scored independently. You cannot recover from a security gap by handling the response well, and you cannot recover from a slow response by claiming the security itself was reasonable. The reformed Act treats prevention, assessment, and notification as three separate obligations.
I am under A$3M turnover. Doesn’t the small business exemption still cover me?
It still currently shields you from direct Privacy Act obligations on most personal data — but it does not shield you from the statutory tort that commenced 10 June 2025, it does not shield you from sensitive-data obligations (health, biometric, identifying records), and it does not shield you from the commercial pressure from insurers and B2B customers asking for documented posture as a condition of cover or contract. The Government has committed in principle to removing the exemption in a future legislative tranche. Relying on the exemption alone is now a thinning shield from three directions at once.
I’m a sole trader with no staff. Do I really need to do anything?
Direct regulatory exposure may be limited, but the commercial pressure is the same. If you handle customer data and you ever apply for business insurance, want to work with B2B customers, or apply for business finance, you’ll be asked about your privacy posture. The Privacy Health Check at $895 is sized precisely for this situation — quickest path to a one-page statement you can produce when asked.
What does "documented posture" actually mean?
A written data inventory (what data you hold, where it lives, who can see it), a scored baseline against the Australian Privacy Principles and Essential 8 Maturity Level 1 hygiene, evidence of reasonable steps (MFA, role-based access, vendor register, breach response plan, staff awareness), and a current Statement of Posture suitable for sharing with an insurer or auditor. That’s what the Privacy Health Check and Data Posture Snapshot produce.
Doesn’t my IT person or cyber insurance already cover this?
No, those address different things. IT covers technical security. Cyber insurance covers financial loss after an incident — but most policies now require evidence of posture as a pre-condition of the cover holding. Privacy Act compliance is a separate set of obligations covering how you collect, store, use, retain, and dispose of customer data — and whether you can prove reasonable steps. Without documented posture you may have insurance that won’t actually pay out when you need it.
What happens if we just wait and see?
Three layered risks accumulate while you wait. (1) Insurance renewal pressure builds — premiums increase, cover narrows, or insurers exclude cyber/privacy claims for businesses without documented posture. (2) B2B opportunities get harder to win because larger customers now ask for compliance attestation as part of procurement. (3) If a breach happens, your defensive position is much weaker — "we hadn’t got around to it" reads very differently to a regulator and a court than "we had documented posture, we’re fixing the gaps we identified." The wait-and-see strategy has gotten substantially more expensive.
Isn’t this just more red-tape compliance work that doesn’t affect customers?
Reasonable framing 18 months ago. Less so now. The same posture work that satisfies the new regulatory regime is also what your insurer, your B2B customers, and your lenders are increasingly asking for. The privacy product isn’t a one-off compliance ticket — it’s the documented baseline that lets you keep operating and keep contracting. Most clients who do this work find the commercial benefits show up before any regulatory issue does.

Want to see how data security & privacy is baked into every DataSentry engagement, not just productised reviews?

See our approach to data security and privacy →

Five minutes now beats five hours after an insurer asks.

Start with the free Readiness Quiz. You’ll know in five minutes whether you have a problem, how big it is, and what to do about it.

Take the Readiness Quiz →