Privacy Act 1988 Changes and How It Impacts Small Businesses
Privacy Act Overhaul: What It Means for Small Businesses and Cybersecurity
CyberSure Insights – March 2025
The Australian Privacy Act 1988 is on the brink of a historic change, and small businesses can no longer afford to ignore their cybersecurity responsibilities. For years, businesses with an annual turnover of less than $3 million enjoyed exemptions from the Act’s stringent privacy obligations. However, with the government moving to remove this exemption, small businesses will soon face the same compliance requirements as larger enterprises.
Why This Change Matters
The move to extend privacy obligations to small businesses is a response to the growing cybersecurity threats and increasing concerns over data protection. The Australian Government is aligning privacy laws with global standards, ensuring that businesses—regardless of size—are held accountable for safeguarding customer and employee data.
For small businesses, this means they will be required to:
- Implement robust cybersecurity measures to protect personal and sensitive data.
- Develop and maintain a Privacy Policy that clearly outlines how data is collected, stored, and used.
- Report data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals if they meet the Notifiable Data Breach scheme threshold.
- Conduct privacy impact assessments for high-risk activities involving personal data.
Cybersecurity Is No Longer Optional – Enter the Essential Eight
With cyber threats escalating, small businesses need to act fast to implement the Essential Eight, a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC). This framework provides practical mitigation strategies to reduce cyber risks. The Essential Eight includes:
- Application control – Prevent unauthorized applications from executing.
- Patch applications – Regularly update software to fix security vulnerabilities.
- Configure Microsoft Office macro settings – Block macros from unknown sources.
- User application hardening – Disable unnecessary features that cybercriminals exploit.
- Restrict administrative privileges – Limit admin access to reduce risk.
- Patch operating systems – Keep OS patches up to date.
- Multi-factor authentication (MFA) – Add an extra layer of login security.
- Regular backups – Protect critical data from ransomware and cyberattacks.
Aligning with the Essential Eight will not only enhance security but also prepare businesses for regulatory compliance.
New Liabilities and Hefty Penalties
Once this change takes effect, small businesses failing to comply with the Privacy Act could face severe penalties. Under the new rules:
- Companies could be fined up to $50 million, three times the value of the benefit obtained, or 30% of annual turnover, whichever is higher.
- Individuals responsible for privacy breaches may face fines of up to $500,000.
This means that a lack of cybersecurity preparedness could financially cripple small businesses and damage their reputation beyond repair.
The Time to Act Is Now
Small businesses must take immediate steps to:
- Assess their current cybersecurity posture and identify gaps.
- Implement the Essential Eight to minimize vulnerabilities.
- Develop comprehensive privacy and data protection policies.
- Train staff on data handling and cybersecurity best practices.
- Engage cybersecurity professionals to ensure compliance and resilience.
At CyberSure, we specialize in helping businesses navigate these regulatory changes with confidence. Our expert team can assist in implementing the Essential Eight, conducting risk assessments, and ensuring that your business is fully compliant before the new laws come into effect.
Don’t wait until it’s too late. Secure your business today.
For more insights and cybersecurity solutions, visit CyberSure.Comnunity or contact us at hello@cybersure.community
1300 898 590
