Australia's Privacy Act is undergoing its most significant reform in two decades. Expected to take effect from mid-2026, the changes introduce mandatory breach reporting obligations, stricter consent requirements, and expanded rights for individuals to access, correct, and delete their personal data.

For small and medium businesses, the most critical change may be the potential removal of the $3 million revenue exemption. If this proceeds, thousands of Australian SMEs that were previously exempt from the Privacy Act will suddenly fall under its requirements.

What's Changing

• Mandatory data breach notification within 72 hours of becoming aware of an eligible breach.
• Stronger consent requirements for collecting and using personal information, particularly around marketing and third-party data sharing.
• A new right to erasure, allowing individuals to request deletion of their personal data in certain circumstances.
• Increased penalties for non-compliance, with fines that could reach into the millions for serious or repeated breaches.
• Expanded definition of personal information to include technical data like IP addresses and device identifiers.

Where Most SMEs Are Exposed

The gap between what the reformed Act will require and what most SMEs currently do is significant. Common exposure points include:

• Customer data stored in spreadsheets, shared drives, or personal email accounts with no access controls or audit trail.
• No documented privacy policy, or a policy that hasn't been updated since it was first created.
• No process for handling data access or deletion requests from customers.
• Marketing email lists with unclear consent records — if someone asks how you got their email, can you demonstrate lawful consent?
• Third-party tools and SaaS platforms that process customer data without a clear data processing agreement in place.

Five Steps to Prepare

1. Audit your data. Document what personal information you collect, where it's stored, who has access, and how long you keep it.
2. Update your privacy policy. Ensure it reflects your actual data practices and meets the new requirements.
3. Implement a breach response plan. Know who is responsible, what steps to take, and how to notify the OAIC within the required timeframe.
4. Review your consent mechanisms. For marketing, ensure you have clear opt-in consent with records that prove when and how consent was given.
5. Check your vendors. Any SaaS tool that processes customer data on your behalf needs a data processing agreement. Review your key platforms.

The businesses that prepare now will handle the transition smoothly. Those that wait until enforcement begins will be scrambling to catch up under pressure.