This piece was written for Privacy Awareness Week 2026 (4–10 May). The week has passed. The regulatory obligations haven’t.

The theme for Privacy Awareness Week 2026 was “Trust is built here — in every privacy complaint, in every resolution.” It’s a good theme. But for Australian SMEs, trust isn’t built in complaint resolution. Trust is built — or destroyed — in the ten thousand small decisions that happen before a complaint is ever lodged.

The Privacy Act doesn’t ask you to handle complaints well. It asks you to not give people a reason to complain in the first place.

What changed in December 2024 — and what it means

The Privacy and Other Legislation Amendment Act 2024 received royal assent in December 2024. It’s the most significant amendment to Australia’s privacy regime since the Notifiable Data Breaches scheme commenced in 2018.

The reforms aren’t optional, and they’re not theoretical. The OAIC conducted a compliance sweep in January 2026 specifically targeting privacy policy compliance. Fines of up to $66,000 per deficiency — under APP 1.4 — are available for non-compliant privacy policies.

$66,000 per deficiency. Not per incident. Per deficiency in your privacy policy document. If your policy is the one you downloaded from a template site in 2019, you have multiple deficiencies. That’s not speculation — it’s arithmetic.

The three changes that matter most for SMEs:

APP 11.3 — Security measures are now explicit. The Act now requires entities to take “reasonable steps, including technical and organisational measures” to protect personal information. The phrase “technical and organisational measures” is lifted directly from GDPR — it’s not coincidence. It signals that both your IT controls and your governance structures are in scope. A firewall is a technical measure. A documented information security policy is an organisational measure. Annual staff training is an organisational measure. An incident response plan is an organisational measure. You need both, and you need to be able to demonstrate both.
The statutory tort for serious invasion of privacy. Since 2025, an individual can sue your organisation directly for a serious invasion of their privacy. They don’t need to demonstrate financial loss. They don’t need to wait for the OAIC to investigate. They can go straight to a court. The plaintiff needs to show that a reasonable person in their position would have had a reasonable expectation of privacy, and that the invasion was serious. This is a new litigation pathway that your legal exposure assessment should already account for.
NDB — the 30-day clock. When does the clock start? Not when your IT team escalates. Not when the CEO is briefed. When anyone in your organisation first becomes aware there are reasonable grounds to believe an eligible data breach has occurred. That includes your receptionist. That includes the junior account manager who noticed something odd in their email. The moment the words “I think we’ve been hacked” leave anyone’s lips, you are potentially on the clock.

What trust actually looks like

Trust in privacy is not about grand gestures. It’s about the mundane, unglamorous business of doing the right thing consistently.

It looks like knowing what personal information you collect, where it goes, how long you keep it, and who can access it. That’s a data inventory. It doesn’t have to be complex — it has to exist and be accurate.

It looks like having a privacy policy that reflects your actual practices, not a generic document that no-one has read since it was published. Under APP 1.4, your policy must describe the kinds of personal information you collect, how you collect it, how you use and disclose it, and how individuals can access or correct their information. If your policy says “we may collect information about you” and stops there, it’s non-compliant.

It looks like training your staff to recognise a potential data breach and knowing what to do in the first 24 hours. The organisation that handles a breach well earns more trust — sometimes — than the one that never had a breach at all. The organisation that discovers a breach six months after the fact and notifies affected individuals four months after that earns nothing except regulatory attention.

It looks like making it genuinely easy for individuals to access their data or request a correction. Not burying the process in fine print. Not requiring people to fill in a form that goes nowhere.

The SME question I get asked most often

“Do we actually need to worry about this? We’re small.”

The honest answer: the Privacy Act threshold currently exempts businesses with annual turnover under $3 million. That threshold is proposed to be removed under the Tranche 2 reforms, expected to be legislated in 2026–2027. The direction is settled even if the date isn’t.

More immediately: some obligations apply regardless of turnover. If your organisation handles health information, operates an employee file, or provides services to a federal government entity — you may already be subject to the Act regardless of revenue.

And even if you’re currently exempt, your clients may not be. If you’re an MSP, accountant, or bookkeeper handling personal information on behalf of clients who are covered entities, your practices affect their compliance. That creates commercial risk for you regardless of your own regulatory status.

The question isn’t “are we covered?” The question is “do our practices meet the standard that clients, employees, and regulators will hold us to?”

The minimum an SME needs to do

Audit your privacy policy. Is it current? Does it accurately reflect how you collect, use, store, and disclose personal information? If not, fix it. The cost of fixing a non-compliant privacy policy is vastly lower than $66,000 per deficiency.
Know your data. You cannot protect what you don’t know you have. Map the personal information you hold — customer data, employee data, supplier contacts. Know where it lives and who has access. This doesn’t need to be a complex project. A spreadsheet that’s accurate is worth more than a sophisticated data governance platform that nobody uses.
Have a plan for when something goes wrong. A basic incident response plan — who to call, what to do in the first 24 hours, when to notify the OAIC — costs very little to document and very much to not have. The 30-day NDB clock starts when anyone in your organisation becomes aware. Your plan determines whether that 30 days is used well.

Trust is built in the decisions no-one sees. The decision to delete data you no longer need. The decision to encrypt a file that didn’t strictly require it. The decision to train a new staff member properly rather than pointing them at a policy they’ll never read.

Those decisions compound over time. So does the absence of them.

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your privacy and cyber posture needs a clear-eyed assessment, book a 20-minute conversation.