CyberSure Community

Menu

Privacy Act 1988 Changes and How It Impacts Small Businesses

Privacy Act Overhaul: What It Means for Small Businesses and Cybersecurity

CyberSure Insights – March 2025

The Australian Privacy Act 1988 is on the brink of a historic change, and small businesses can no longer afford to ignore their cybersecurity responsibilities. For years, businesses with an annual turnover of less than $3 million enjoyed exemptions from the Act’s stringent privacy obligations. However, with the government moving to remove this exemption, small businesses will soon face the same compliance requirements as larger enterprises.

Why This Change Matters

The move to extend privacy obligations to small businesses is a response to the growing cybersecurity threats and increasing concerns over data protection. The Australian Government is aligning privacy laws with global standards, ensuring that businesses—regardless of size—are held accountable for safeguarding customer and employee data.

For small businesses, this means they will be required to:

  • Implement robust cybersecurity measures to protect personal and sensitive data.
  • Develop and maintain a Privacy Policy that clearly outlines how data is collected, stored, and used.
  • Report data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals if they meet the Notifiable Data Breach scheme threshold.
  • Conduct privacy impact assessments for high-risk activities involving personal data.

Cybersecurity Is No Longer Optional – Enter the Essential Eight

With cyber threats escalating, small businesses need to act fast to implement the Essential Eight, a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC). This framework provides practical mitigation strategies to reduce cyber risks. The Essential Eight includes:

  1. Application control – Prevent unauthorized applications from executing.
  2. Patch applications – Regularly update software to fix security vulnerabilities.
  3. Configure Microsoft Office macro settings – Block macros from unknown sources.
  4. User application hardening – Disable unnecessary features that cybercriminals exploit.
  5. Restrict administrative privileges – Limit admin access to reduce risk.
  6. Patch operating systems – Keep OS patches up to date.
  7. Multi-factor authentication (MFA) – Add an extra layer of login security.
  8. Regular backups – Protect critical data from ransomware and cyberattacks.

Aligning with the Essential Eight will not only enhance security but also prepare businesses for regulatory compliance.

New Liabilities and Hefty Penalties

Once this change takes effect, small businesses failing to comply with the Privacy Act could face severe penalties. Under the new rules:

  • Companies could be fined up to $50 million, three times the value of the benefit obtained, or 30% of annual turnover, whichever is higher.
  • Individuals responsible for privacy breaches may face fines of up to $500,000.

This means that a lack of cybersecurity preparedness could financially cripple small businesses and damage their reputation beyond repair.

The Time to Act Is Now

Small businesses must take immediate steps to:

  • Assess their current cybersecurity posture and identify gaps.
  • Implement the Essential Eight to minimize vulnerabilities.
  • Develop comprehensive privacy and data protection policies.
  • Train staff on data handling and cybersecurity best practices.
  • Engage cybersecurity professionals to ensure compliance and resilience.

At CyberSure, we specialize in helping businesses navigate these regulatory changes with confidence. Our expert team can assist in implementing the Essential Eight, conducting risk assessments, and ensuring that your business is fully compliant before the new laws come into effect.

Don’t wait until it’s too late. Secure your business today.

For more insights and cybersecurity solutions, visit www.CyberSure.Community

Contact details;
Email: hello@cybersure.community
Tel: 1300 898 590

Post Your Comment

Powered by  GDPR Cookie Compliance
Privacy Overview

Our Privacy Policy

CyberSure Community is committed to providing quality services to you and this policy outlines our ongoing obligations to you in respect of how we manage your Personal Information.

We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The NPPs govern the way in which we collect, use, disclose, store, secure and dispose of your Personal Information.

A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at https://www.oaic.gov.au/.

What is Personal Information and why do we collect it?

Personal Information is information or an opinion that identifies an individual. Examples of Personal Information we collect includes names, addresses, email addresses, phone and facsimile numbers.

This Personal Information is obtained in many ways including interviews, correspondence, by telephone, by email, via our website ‘www.cybersure.community’, from media and publications, from other publicly available sources, from cookies and from third parties. We don’t guarantee website links or policy of authorised third parties.

We collect your Personal Information for the primary purpose of providing our services to you, providing information to our clients and marketing. We may also use your Personal Information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure. You may unsubscribe from our mailing/marketing lists at any time by contacting us in writing.

When we collect Personal Information we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.

Sensitive Information

Sensitive information is defined in the Privacy Act to include information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.

Sensitive information will be used by us only:

• For the primary purpose for which it was obtained

• For a secondary purpose that is directly related to the primary purpose

• With your consent; or where required or authorised by law.

Third Parties

Where reasonable and practicable to do so, we will collect your Personal Information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.

Disclosure of Personal Information

Your Personal Information may be disclosed in a number of circumstances including the following:

• Third parties where you consent to the use or disclosure; and

• Where required or authorised by law.

Security of Personal Information

Your Personal Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure.

When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored in client files which will be kept by us for a minimum of 7 years.

Access to your Personal Information

You may access the Personal Information we hold about you and to update and/or correct it, subject to certain exceptions. If you wish to access your Personal Information, please contact us in writing.

CyberSure Community will not charge any fee for your access request, but may charge an administrative fee of $149 + gst per request for providing a copy of your Personal Information.

In order to protect your Personal Information we may require identification from you before releasing the requested information.

Maintaining the Quality of your Personal Information

It is an important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, complete and up-to-date. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.

Policy Updates

This Policy may change from time to time and is available on our website.

Privacy Policy Complaints and Enquiries

If you have any queries or complaints about our Privacy Policy please contact us at:

[email protected]