The Privacy Act 2026 reforms moved the regulator from “toothless” to “materially enforcing” inside 18 months. Most AU SMBs we work with want a checklist they can actually run against, not another summary of what changed. This is that checklist.
Twelve specific actions, each with a clear scope, a typical timeline, and the obvious owner inside your business. Work through them in order. If you genuinely do all twelve, you are in defensible shape against the Office of the Australian Information Commissioner (OAIC) expectations for reasonable steps.
The $3 million annual turnover exemption is being progressively narrowed. Even below the threshold, you may already be in scope if you are a health service provider, you trade in personal information, you are a related entity of a larger organisation, or you contract to a Commonwealth agency. Run the test now rather than assuming. Our Privacy Act 2026 small business guide covers the exemption rules in detail.
Owner: business owner or general manager. Timeline: 30 minutes with the guide.
Most businesses underestimate this by a factor of two or three. List every system, every database, every shared drive, every email mailbox, every spreadsheet that contains personal information. Note who has access to each. Note where it physically sits (cloud region, on-prem, third party). Note what type of information is in each.
This is the foundation of every other step. You cannot protect what you have not mapped.
Owner: business owner with IT support. Timeline: 1-3 days for a typical 50-person SMB.
Most SMB collection notices have not been touched since 2020. The 2026 expectations are tighter: notices need to clearly explain what is collected, why, who it goes to, and how someone can access or correct it. Standard templates do not meet the expectation if they describe practices your business does not actually follow.
Owner: business owner or marketing lead, reviewed by legal counsel. Timeline: 1-2 weeks.
APP 7 requires clear consent for using personal information for direct marketing. The OAIC has signalled stronger enforcement here, particularly on pre-ticked consent boxes, implied consent claims, and unsubscribe friction. If your marketing list was built from contact form opt-ins where consent was bundled with “submit”, review that.
Owner: marketing lead. Timeline: 1-2 weeks.
APP 11.2 requires destroying or de-identifying personal information you no longer need. Most SMBs have no formal retention schedule and keep everything indefinitely. The OAIC’s 2026 enforcement focus on retention practices catches this out directly.
Build a retention schedule that lists each category of personal information, how long you keep it, and what happens at the end of the period. Then actually execute the schedule with evidence of disposal.
Owner: business owner with IT and finance input. Timeline: 4-6 weeks to build, ongoing to execute.
APP 12 gives individuals the right to access personal information you hold about them, and APP 13 gives them the right to correct it. You need a documented process for receiving, validating, fulfilling, and recording these requests. Most SMBs do not have one and discover this only when the first request arrives.
The process does not need to be elaborate. Who receives the request, how identity is verified, what timeframe applies, who fulfils it, what gets recorded. One page is enough if it is followed.
Owner: business owner or operations lead. Timeline: 1 week to document, ongoing to operate.
This is the single most important technical control under “reasonable steps” in APP 11.1. Email, file storage, the CRM, the financial system, remote access. Every account, every system. No exceptions for executives or convenience.
If you have not done this yet, it is the first technical priority. Most successful breaches of AU SMB systems start with credential compromise that MFA would have prevented.
Owner: IT provider or internal IT. Timeline: 2-4 weeks for a typical 50-person SMB.
APP 8 makes you accountable for what your third-party suppliers do with personal information you give them. Cloud providers, marketing platforms, accountants, lawyers, contractors. List every vendor that touches personal information. Get a privacy statement or DPA from each. Review annually.
The OAIC’s enforcement focus on supply chain has increased materially through 2025 and 2026. A breach at your vendor is a breach you are accountable for.
Owner: business owner with procurement input. Timeline: 2-3 weeks to inventory, ongoing to maintain.
Under the notifiable data breaches scheme, you have 30 days to assess a suspected breach and notify affected individuals and the OAIC as soon as practicable after that. Working that out under pressure with no plan is how late notifications happen, and late notification is a separate enforcement issue from the breach itself.
Document the plan. Name the people. Run a tabletop exercise once a year to test it. Update it after the exercise.
Owner: business owner with IT and legal input. Timeline: 2-3 weeks to document, 1 day a year to test.
Most data breaches at SMBs start with a human error: a wrong email recipient, a forwarded attachment, a phishing click. Annual staff privacy training is now a baseline expectation, not a nice-to-have. The training needs to cover what personal information is, how staff handle it, what to do if they notice something wrong, and how to recognise the most common attack patterns.
Owner: HR or office manager with IT input. Timeline: 1-2 hours of training per staff member annually.
The OAIC increasingly references frameworks like Essential Eight and SMB1001 as evidence of “reasonable steps” under APP 11.1. Self-attestation alone is the weakest position. A documented framework alignment with a recent gap assessment is materially stronger.
For most AU SMBs, SMB1001 Bronze or Silver is the right starting point. See our framework overlap guide for how the three frameworks fit together.
Owner: business owner with IT provider. Timeline: 4-12 weeks depending on tier.
Privacy obligations evolve. Frameworks revise. Your business changes. Set a calendar reminder for an annual review covering all eleven previous steps. Update what has changed, fix what has slipped, document what was reviewed and when. This is the difference between sustained compliance and a one-off project that decays into uselessness.
Owner: business owner. Timeline: half a day a year, or a day if material things have changed.
Start with steps 1, 2, and 7 this week. Confirm your exemption status, map your personal information, and deploy MFA everywhere. These three unlock everything else and you can do them in parallel.
Plan the remaining nine over the next 90 days. Most SMBs of 20-100 staff can complete the full twelve-step programme in three months with normal effort. The work compounds.
Book a Privacy Act readiness review with us. Contact us on 1300 EPIC IT and we will assess where you sit against all twelve steps and give you a costed plan to close the gaps. We do this through our managed cybersecurity service for ongoing clients, or as a standalone engagement for businesses without managed cybersecurity in place.
For an AU SMB starting from limited formal privacy work, the realistic timeline is 90 days for the bulk of the programme and 6-12 months for full framework alignment. Businesses already running well-managed IT often complete the technical steps inside 30 days because most controls are already deployed. The policy and process steps tend to take longer because they require management attention rather than technical work.
Step 11 (framework alignment) typically costs the most because it involves both technical controls and an external audit if you target SMB1001 Gold or higher. For most SMBs the year-one cost is $10,000-25,000 including controls deployment and audit. The other eleven steps cost mostly internal time rather than external spend.
Steps 1, 2, 3, 4, 5, 6, 10, and 12 can be done internally with management attention and templates. Steps 7, 8, 9, and 11 typically benefit from external IT and security expertise, particularly for the technical controls and the framework alignment work. Most AU SMBs use a managed IT or cybersecurity provider for the technical steps and run the policy work in-house.
Step 7 (multi-factor authentication on every system handling personal information). It is the single most important technical control under “reasonable steps” in APP 11.1, it prevents the majority of successful credential-based breaches, and it can typically be deployed inside 4 weeks. If your business has MFA gaps today, that is the first priority.
Roughly 70% of this checklist overlaps with the controls in Essential Eight and SMB1001. Step 11 makes the overlap explicit by aligning your business to one of the frameworks. The Privacy Act-specific steps (1, 2, 3, 4, 5, 6, 8, 9) are largely outside the cybersecurity frameworks and need separate attention. See our framework overlap guide for the full mapping.
The OAIC’s enforcement powers have expanded materially and the agency is using them. The headline penalty is $50 million for serious or repeated interference, but more relevant for AU SMBs are the mid-tier and lower-tier penalties, plus the substantial non-penalty costs of a breach (legal, communications, remediation, reputational). Doing nothing is not a stable position; the regulatory direction is clear and the cost gap between proactive compliance and reactive breach response is widening.
