The Australian small business guide to data privacy compliance in 2025

The Australian Privacy Act has been part of the regulatory landscape since 1988. What has changed in the last two years is the urgency. With penalties now reaching $50 million for serious breaches and the government actively consulting on expanding individual rights, privacy compliance has moved from a legal nicety to a genuine business risk.

This guide is written for Australian small business owners — not lawyers. The goal is to give you a clear, practical picture of what you’re actually required to do, and what you can do this week to reduce your risk.

Does the Privacy Act apply to your business?

The Privacy Act applies to:

• All businesses with annual turnover above $3 million
• All health service providers, regardless of turnover
• Businesses that trade in personal information (data brokers, direct marketers)
• Credit reporting bodies and financial services businesses

Important: even if your business falls below the $3M turnover threshold, you still have obligations around employee personal information under the Fair Work Act, and you remain liable for data breaches that cause harm. Many business owners below this threshold are also voluntarily subject to the Act through contracts with larger clients.

What personal information are you probably collecting?

Most Australian small businesses collect more personal information than they realise:

• Customer contact details, purchase history, and account information
• Employee records (payroll, performance, health information)
• Website visitor data (IP addresses, browsing behaviour, cookies)
• CCTV footage if you operate physical premises
• Payment card data (even if processed through a gateway)
• Email marketing lists and engagement data

The five most common compliance gaps in Australian SMBs

1. No Privacy Policy, or one that doesn’t match actual practice

Many small businesses have a Privacy Policy copied from a template or a competitor’s website that doesn’t reflect what they actually do with personal information. A Privacy Policy must accurately describe how you collect, use, store, and disclose personal information. Inaccurate policies can attract regulatory attention.

2. No data breach response plan

The Notifiable Data Breaches scheme requires most businesses to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. Without a documented response plan, most businesses respond too slowly, assess the situation incorrectly, and miss notification obligations.

3. Personal data in unsecured locations

Spreadsheets emailed between staff. Customer lists in shared Google Drives with unrestricted access. Personal information in email attachments stored on personal devices. These are among the most common and most easily exploited vulnerabilities in small business data practices.

4. No data retention and deletion schedule

The Privacy Act requires you to destroy or de-identify personal information when it’s no longer needed for the purpose it was collected. In practice, most small businesses hold data indefinitely. Old customer records, former employee files, and enquiry data from years ago accumulate — increasing your breach exposure with no corresponding business benefit.

5. Third-party tools without proper agreements

Your CRM, accounting software, email marketing platform, and HR system all handle personal information on your behalf. Under the Privacy Act, you’re responsible for how they handle that information. This means having data processing agreements in place and understanding where your data is stored (particularly for overseas cloud providers).

Practical steps to compliance

1. Conduct a data inventory. Map what personal information you hold, where it’s stored, who has access, and why you collected it. This is the foundation of everything else.
2. Update your Privacy Policy to accurately reflect your actual data practices. If you’re not sure where to start, the OAIC has free templates at oaic.gov.au.
3. Implement a data breach response procedure. This doesn’t need to be complex — a one-page document covering who to contact, what to assess, and what your notification obligations are is sufficient for most SMBs.
4. Audit third-party access. Review which tools and contractors handle personal information and confirm you have appropriate agreements in place.
5. Set data retention limits. Decide how long you need each category of personal information, and implement a process (manual or automated) to delete data past that point.
6. Train your team. Even a 30-minute annual briefing on basic privacy obligations significantly reduces the risk of accidental breaches caused by staff error.

Technology that supports compliance

The right technology makes compliance easier to maintain without adding administrative burden:

• Role-based access controls in your CRM (Zoho CRM, HubSpot) ensure staff only access the personal information they need
• Encrypted cloud storage with proper configuration (Microsoft 365, Google Workspace) reduces breach risk significantly compared to local or unencrypted storage
• Automated data deletion workflows (n8n, Zoho Flow) can automatically archive or delete records past their retention period
• Multi-factor authentication across all systems that hold personal information — the single highest-impact security control for SMBs