rulesmate.com.au — Compliance reference
https://rulesmate.com.au/insights/privacy-act-2026-eight-questions-smb
Printed 6 July 2026
Privacy Act 2026: 8 questions every Australian SMB should answer
Removing the small business exemption is proposed for a future reform tranche — not yet law — but if enacted ~2 million SMBs would become APP entities. Answer these 8 questions to know where you stand.
1. Are we exempt today?
Small business exemption (s 6D) applies under $3M turnover. But carve-outs: health information holders, list brokers, Commonwealth contractors, credit reporting, residential tenancy DBs, TFN holders for non-employees are NOT exempt. Removing the exemption entirely was recommended in the Privacy Act Review and agreed in principle by the Government, but it is deferred to a future reform tranche — not yet law, with no commencement date.
2. Do we have a written Privacy Policy?
APP 1.3 requires every APP entity to have a clearly-expressed Privacy Policy meeting APP 1.4 minimum content.
3. Do we know what personal information we hold?
Build a data inventory across CRM, email marketing, HR/payroll, phones, forms, backups, vendor systems. Without it you can't answer APP 11 / 12 / NDB.
4. What's our breach response plan?
Under NDB: assess within 30 days, notify OAIC + individuals as soon as practicable once confirmed eligible. Pre-build incident owner, comms template, OAIC form. Tabletop test. See NDB timer tool.
5. Do our vendors handle personal information safely?
For each material vendor: DPA in contract, security control confirmation (SOC 2, ISO 27001, IRAP), geographic-residency confirmation, sub-processor disclosure.
6. Can we respond to an access or correction request?
APP 12: access requests within 30 days (private sector). APP 13: take reasonable steps to correct; attach statement if you disagree. Build the intake workflow.
7. Do we use automated decision-making?
If algorithmic credit scoring, automated moderation, AI-driven employee decisions — build ADM register: model card, inputs, purpose, oversight, human-review pathway. Include in Privacy Policy.
8. Have we trained staff?
APP 11.1 reasonable steps include training. Required: onboarding, annual refresher, phishing awareness, breach reporting workflow. OAIC checks training records during investigation.
---
Done? Validate via the Privacy Act 2026 readiness scorer. Score below 65? You have work to do to get ready for the Privacy Act reforms — and the proposed exemption removal would only raise the stakes.
Frequently asked
Will OAIC enforce on day one?
OAIC has historically taken an educative approach immediately post-reform. But statutory penalties apply from day one for serious or repeated interferences.
Can my IT provider do all this?
They can help with security + breach response. Policy, training, ADM register, access/correction workflow are organisational — typically owned by HR / operations / a privacy officer (part-time OK).
What's the personal liability of directors?
Privacy Act penalties are corporate. But under Corporations Act s 180 + ASIC v RI Advice precedent, persistent IT/privacy failings can attract director-duty exposure.
Related
Obligations covered
Free tools
© Rules Mate · Source citations at the end · Information current as at 18 May 2026
Printed from https://rulesmate.com.au/insights/privacy-act-2026-eight-questions-smb