The Australian Privacy Act small business 2026 landscape is about to change in a significant way. For years, small businesses with an annual turnover under $3 million have operated outside the Privacy Act 1988’s main obligations, thanks to a long-standing exemption. That exemption is being removed. If your business has been operating under the assumption that privacy law does not apply to you, that assumption is no longer safe.

This is not a distant regulatory shift on the horizon. The reforms are part of the Australian Government’s comprehensive Privacy Act Review, which has confirmed the direction of travel: the small business exemption is ending, and businesses of all sizes will need to meet the same baseline privacy obligations as large enterprises.

If you are a business owner, COO, CTO, CIO, or Office Manager responsible for IT decisions, this post explains exactly what is changing, who it affects, and what practical steps you should be taking right now.

What Is Changing: The End of the Small Business Exemption

The Current Exemption

Under the current Privacy Act 1988, businesses with an annual turnover of $3 million or less are generally exempt from the Act’s obligations. This has meant that millions of small to medium businesses across Australia have not been legally required to comply with the Australian Privacy Principles (APPs), which govern how personal information is collected, stored, used, and disclosed.

There are already some exceptions to this rule. Small businesses that handle health information, operate as contracted service providers to government, trade in personal information, or operate certain other categories of service have always been covered. However, the general exemption has shielded the majority of small businesses from formal privacy compliance requirements.

What the Reforms Confirm

The Privacy Act Review Report, released by the Attorney-General’s Department, recommended the removal of the small business exemption. The Government has agreed in principle to this recommendation. The direction is clear: all businesses that collect, hold, or use personal information about individuals will be expected to comply with the Privacy Act’s requirements.

The reforms represent the most significant overhaul of Australian privacy law in decades. They reflect a broader global shift toward stronger data protection standards, driven by developments such as the GDPR in Europe and growing public concern about how personal data is handled.

Who Is Affected by the Australian Privacy Act Small Business 2026 Changes

Small Businesses That Were Previously Exempt

If your business currently falls under the $3 million turnover threshold and you have relied on the exemption, you will be affected. This covers a wide range of business types, including:

• Professional services firms such as accountants, lawyers, and consultants
• Healthcare providers not already covered by the Act
• Retail businesses that collect customer data
• Hospitality and events businesses that manage bookings and guest information
• Technology startups and digital businesses
• Tradespeople and service providers who hold client records
• Not-for-profit organisations and community groups that are currently exempt

Who Is Already Covered

If your business already complies with the Privacy Act because your turnover exceeds $3 million, or because you fall into one of the existing covered categories, the new rules may still affect you. The reforms introduce stronger rights for individuals, stricter requirements around data retention, and higher penalties for breaches.

The Broader Impact

Even businesses that do not think of themselves as “data businesses” collect personal information constantly. Customer names and contact details, employee records, supplier information, financial data, and digital identifiers all qualify as personal information under the Act. Almost every business in Australia will be touched by these changes in some way.

What the New Rules Mean: The Australian Privacy Principles

The 13 Australian Privacy Principles

When the small business exemption is removed, your business will be required to comply with the 13 Australian Privacy Principles. These principles cover:

• APP 1: Having an up-to-date, clear privacy policy
• APP 2: Allowing individuals to interact anonymously where practical
• APP 3: Only collecting personal information that is reasonably necessary
• APP 4: Dealing appropriately with unsolicited information
• APP 5: Notifying individuals of the purpose of collection
• APP 6: Using and disclosing information only for the purpose it was collected
• APP 7: Managing direct marketing in line with individual preferences
• APP 8: Managing cross-border disclosures carefully
• APP 9: Restrictions on adopting government-related identifiers
• APP 10: Keeping personal information accurate and up to date
• APP 11: Keeping personal information secure
• APP 12: Giving individuals access to their information on request
• APP 13: Correcting personal information when it is inaccurate

Stronger Individual Rights

The reforms also introduce new and strengthened rights for individuals, including the right to request erasure of their personal information, the right to opt out of targeting and profiling, and stronger rights to access their data. These rights create direct obligations for the businesses that hold that data.

Mandatory Reporting of Eligible Data Breaches

The Notifiable Data Breaches (NDB) scheme already applies to entities covered by the Privacy Act. When the exemption is removed, small businesses will also be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if they experience a data breach that is likely to result in serious harm.

Increased Penalties

The reforms significantly increase the penalties for serious or repeated breaches of the Privacy Act. For individuals, penalties have been increased substantially. For organisations, the maximum civil penalty can reach the greater of $50 million, three times the benefit obtained from the conduct, or 30 per cent of adjusted turnover in the relevant period. Even for minor breaches, the OAIC has stronger enforcement powers under the new framework.

What This Means for You

You Can No Longer Ignore Privacy Obligations

If you have never had a formal privacy policy, never thought about how you store customer data, or never had a process for responding to data breaches, you are not ready. The reforms require you to change that. Ignorance of the law is not a defence, and the OAIC has signalled that it intends to use its new enforcement powers.

Your IT Systems Need to Be Assessed

The practical reality of privacy compliance is largely an IT problem. Where is your customer data stored? Who has access to it? How is it backed up? How long do you keep it? Is it encrypted? Can you find it, update it, or delete it if an individual makes a request?

Most small businesses have never been asked these questions in a formal sense. They often have:

• Customer data spread across spreadsheets, email inboxes, and cloud tools with no clear ownership
• No defined data retention policies, meaning they keep everything indefinitely
• Staff access to sensitive data that is broader than necessary
• No formal process for detecting or responding to a data breach

All of these gaps need to be addressed before the reforms take effect.

A Data Breach Could Be Devastating

Under the NDB scheme, a data breach that triggers mandatory reporting can result in regulatory scrutiny, public disclosure, and reputational damage. For a small business, the reputational fallout from a disclosed breach can be far more damaging than any regulatory fine. Clients and customers trust you with their information. That trust is your business.

Your Contracts and Third Parties May Need Review

If you share personal information with third-party service providers such as cloud platforms, payroll systems, or marketing tools, you may have obligations around how that data is handled offshore or by those third parties. Your supplier contracts may need to be reviewed and updated.

You Have a Window to Prepare

The good news is that you have time to act. The reforms are directionally confirmed, but implementation timelines give businesses an opportunity to prepare. Acting now means you can build compliance into your operations properly, rather than rushing to patch gaps at the last minute.

What You Should Do Now

Step 1: Conduct a Data Audit

Start by mapping out all the personal information your business holds. This includes:

• Customer and prospect records
• Employee files
• Supplier contact details
• Any third-party data feeds or integrations

Understand where this data is stored, who can access it, and how long you keep it.

Step 2: Review or Create Your Privacy Policy

You will need a clear, accurate, and accessible privacy policy that explains how your business collects, uses, stores, and discloses personal information. This policy must be kept up to date and must reflect your actual practices.

Step 3: Assess Your IT Infrastructure for Privacy Readiness

This is where a managed IT partner becomes essential. Your IT systems need to support privacy compliance. Key areas to review include:

• Data encryption, both at rest and in transit
• Access controls and identity management
• Backup and recovery procedures
• Data retention and deletion capabilities
• Incident detection and response tools

Otto IT’s Managed Cyber Security Services are designed to help businesses build the IT foundations needed to support compliance obligations like these. A secure, well-managed IT environment is the foundation of privacy compliance.

Step 4: Train Your Team

Privacy compliance is not just an IT issue. Every person in your business who handles personal information needs to understand their responsibilities. Training should cover what personal information is, how to handle it appropriately, and what to do if they suspect a breach.

Step 5: Create a Data Breach Response Plan

You need a documented process for identifying, containing, and reporting a data breach. This plan should identify who is responsible, what steps to take, and how to notify the OAIC and affected individuals if required.

Step 6: Review Your Third-Party Agreements

Check the privacy and data handling practices of every third-party tool and service you use. Where data is shared with external parties, ensure your contracts include appropriate privacy protections.

General Advice: Building a Privacy-Compliant Culture

Privacy compliance is not a one-time project. It is an ongoing commitment that needs to be embedded in how your business operates. Here is how to approach it practically.

Start With Risk, Not Paperwork

Not all privacy risks are equal. Focus first on the data that matters most: financial information, health information, identity documents, and any data that could cause real harm if exposed. Build controls around your highest-risk data first.

Make Privacy Someone’s Responsibility

In a small business, privacy compliance often falls through the cracks because no one owns it. Assign a specific person, whether that is the business owner, office manager, or IT lead, to be accountable for privacy obligations. Give them the authority and resources to act.

Use Technology to Reduce Risk

Modern IT tools can make privacy compliance easier. Cloud platforms with strong security defaults, identity and access management tools, and endpoint protection solutions all reduce your exposure. A well-configured IT environment is inherently more privacy-compliant than a poorly managed one.

If you are unsure whether your current setup meets the bar, the team at Otto IT can help you assess your readiness. Reach out to us here to start the conversation.

Keep Records

Document your privacy decisions, your data audit, your training activities, and your breach response testing. Regulators look more favourably on organisations that can demonstrate they took compliance seriously, even if they make mistakes along the way.

Do Not Wait for the Law to Force You

Businesses that treat privacy as a competitive advantage, rather than a compliance burden, tend to do better with their customers. Demonstrating that you take data protection seriously builds trust, reduces churn, and positions you as a professional, well-run operation.

Frequently Asked Questions

When exactly does the small business exemption end?

The Australian Government has confirmed its in-principle agreement to remove the small business exemption as part of the broader Privacy Act reforms. Exact implementation dates are subject to legislation being passed, but businesses should expect the changes to take effect progressively through 2026 and beyond. Acting now, before the deadline is set, is strongly recommended.

My business has a turnover under $3 million. Does this definitely apply to me?

Yes. Once the exemption is removed, the turnover threshold will no longer provide protection. All businesses that collect, hold, or use personal information will be subject to the Privacy Act’s requirements, regardless of size.

What counts as personal information?

Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. This includes names, addresses, phone numbers, email addresses, financial information, health information, employment records, and digital identifiers such as IP addresses and cookies.

Do I need to hire a dedicated privacy officer?

Not necessarily. Small businesses are not required to appoint a formal privacy officer under the current reform proposals. However, someone in your organisation needs to own the compliance function. For most small businesses, this is the business owner, the office manager, or an outsourced IT or compliance partner.

What happens if I have a data breach and I have not notified anyone?

Failing to notify the OAIC and affected individuals of an eligible data breach is itself a breach of the Privacy Act. The OAIC can investigate, issue determinations, and impose civil penalties. The reputational damage from a public breach combined with a failure to notify can be severe.

Can my IT provider help with Privacy Act compliance?

Absolutely. Your IT infrastructure is central to your ability to comply with the Privacy Act. A managed IT and cyber security provider can help you secure your data, control access, detect breaches, and build the technical foundations for ongoing compliance. Otto IT’s Managed Cyber Security Services cover exactly these areas.

How is this different from GDPR?

The GDPR is the European Union’s data protection regulation. The Australian Privacy Act is a separate piece of legislation that applies specifically in Australia. While they share similar principles, they are distinct legal frameworks. If your business handles data about EU residents, you may need to comply with both.

Final Thoughts: Get Ahead of the Australian Privacy Act Small Business 2026 Changes

The removal of the small business exemption is a fundamental shift in the Australian privacy landscape. For businesses that have never had to think seriously about data protection, the learning curve is real. But it is manageable, especially if you start now.

The Australian Privacy Act small business 2026 reforms are designed to raise the floor for data protection across the entire economy. The businesses that respond proactively will be better protected against breaches, better positioned with their clients, and far less exposed to regulatory action.

Your IT setup is the foundation. If it is not built to support privacy compliance, you have a gap that needs to close. Otto IT works with professional services businesses across Australia to build secure, managed IT environments that support compliance, resilience, and growth.

If you want to understand where your business stands and what needs to change, contact the team at Otto IT today. We can walk you through a practical assessment and help you build a roadmap that fits your business and your budget.

Do not wait for a breach or a regulator’s letter to take this seriously. The time to act is now.