Most Australian businesses collect personal data. Customer emails, phone numbers, payment details, browsing behaviour, employee records — it adds up fast. Yet a surprising number of those businesses couldn’t tell you where that data is stored, who has access to it, or what their legal obligations are.

That’s a problem. And it’s getting more expensive to ignore.

Why This Matters Now

Australia’s privacy landscape has been tightening. The Privacy Act 1988 review proposed sweeping changes, many of which are being progressively implemented. Penalties have increased dramatically — the maximum fine for serious breaches is now the greater of $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover.

Those aren’t typos. The government is serious.

The Optus and Medibank breaches in 2022-2023 were wake-up calls. They showed that data breaches affect millions of everyday Australians and that regulators will pursue enforcement. Since then, the Office of the Australian Information Commissioner (OAIC) has been more active in investigating and penalising non-compliance.

What the Law Requires

If your business has an annual turnover of more than $3 million, you’re covered by the Privacy Act. But even smaller businesses are covered if they handle health information, are government contractors, or trade in personal information. The threshold is likely to be removed entirely under coming reforms, bringing all businesses into scope.

Here’s what compliance looks like at a minimum:

An up-to-date privacy policy. This isn’t a “set and forget” legal document buried on your website. It needs to accurately describe what data you collect, why, how you store it, who you share it with, and how people can access or correct their information.

The Notifiable Data Breaches scheme. If you experience a breach that’s likely to cause serious harm, you must notify both the OAIC and affected individuals. You have 30 days to assess whether a breach is notifiable after becoming aware of it. In practice, that means you need a process for detecting and assessing breaches — not just reacting when someone notices.

Australian Privacy Principles (APPs). There are 13 of them, covering everything from collection and use to cross-border disclosure and data quality. You don’t need to memorise them all, but you do need to understand the ones relevant to your operations.

The Practical Stuff

Legal obligations aside, here’s what sensible data management actually looks like for a typical business:

Know what you collect. Audit your data. Every form, every system, every spreadsheet. You can’t protect what you don’t know about. Most businesses are shocked by how much personal data is scattered across tools, inboxes, and shared drives.

Minimise collection. Don’t collect data you don’t need. That marketing form asking for date of birth, address, and phone number when all you need is an email? Strip it back. Every piece of data you hold is a liability in a breach.

Control access. Not everyone in your company needs access to everything. Apply the principle of least privilege: people get access to the data they need for their role, nothing more. Review access regularly, especially when people change roles or leave.

Encrypt at rest and in transit. This should be default, but it still isn’t everywhere. Data stored in databases should be encrypted. Data moving between systems should use TLS. There’s no excuse for unencrypted personal data in 2026.

Have an incident response plan. Not if a breach happens — when. A Verizon Data Breach Investigations Report analysis found that the average time to detect a breach is still measured in months, not hours. Having a documented plan with clear roles and responsibilities dramatically reduces response time and damage.

Common Mistakes

Using personal emails for business data. When employees use Gmail or Outlook personal accounts for work, you lose all control over that data. It’s a breach waiting to happen.

Keeping data forever. If you don’t have a retention policy, you’re keeping everything by default. That data from a customer who bought something in 2018 and never returned? You probably don’t need it, and holding it increases your risk surface.

Ignoring third-party risk. Your data is only as secure as the weakest tool in your stack. That cheap CRM, that free form builder, that marketing tool with servers overseas — each one is handling your customers’ data. Make sure they’re compliant too.

No training. The biggest vulnerability in any business is human error. Phishing, weak passwords, accidental data sharing — these are training problems, not technology problems. Regular, practical security training is one of the cheapest and most effective investments you can make.

Getting Started

If you’re starting from scratch, don’t try to do everything at once. Here’s a sensible order:

1. Audit your data. Map what you collect, where it lives, and who can access it.
2. Update your privacy policy. Make it accurate and readable.
3. Implement basic security. Encryption, access controls, multi-factor authentication.
4. Create a breach response plan. Document who does what when something goes wrong.
5. Train your team. Annual training at minimum, with phishing simulations.
6. Review your vendors. Ensure third-party tools meet privacy requirements.

It’s Not About Perfection

No system is perfectly secure. The goal isn’t to eliminate risk — it’s to manage it responsibly. Businesses that take privacy seriously protect their customers, their reputation, and their bottom line. The ones that don’t are playing a game where the penalties are getting steeper every year.

Start where you are. Improve from there. Your customers’ data deserves at least that much.