Resources Blogs The Tech Edge: Australia’s Privacy Act Reforms Are a Reality Check for Businesses

The Tech Edge: Australia’s Privacy Act Reforms Are a Reality Check for Businesses

author
calendar07/17/2025
clock7 min read
feature image

book open Table of Contents

Recent high-profile data breaches have highlighted the urgent need for updated privacy legislation. The current Privacy Act in Australia does not apply to many businesses, despite organizations holding more personal data than ever. Thats about to change.

The federal government is finally stepping in with sharper rules, heavier penalties, and broader enforcement in an upcoming overhaul of the Privacy Act 1988. The first tranche of reforms was launched in September 2024, with the second tranche expected to follow soon. The reforms aligned Australias privacy laws more closely with international standards, such as the European Unions General Data Protection Regulation (GDPR) and the California Consumer Privacy Act.

In a Tech Edge episode, I spoke with Anne Cornish, CEO of Records and Information Management Professionals Australasia (RIMPA), to unpack what these changes mean, why they’re so necessary, and where organizations should focus their energy right now.

Spoiler: Waiting isn’t an option anymore.

The Wake-Up Call We Needed

It’s no secret that businesses today are sitting on mountains of data. From customer emails to credit card information, location tracking to purchasing behavior — it’s all there, tucked away in systems that are often under-resourced, under-secured, and under-scrutinized.

And yet, many of these organizations have never even been required to comply with the Privacy Act. Think about it: your local newsagent likely holds your name, your address, maybe even your purchase history — and until now, there’s been little obligation for them to treat that information with the same rigor as a major bank would.

It’s unsettling when you consider how much personal information even the smallest businesses collect — and I say that both as an information privacy expert and as a consumer who really doesn’t want her details ending up in the wrong hands. While the new legislation might not include the small enterprises in its first pass, the direction is clear: compliance expectations are expanding.

What’s Actually Changing?

The new regulations will require businesses to take a more proactive approach to risk management and data security. So, what do these updates look like in practice?

Anne walked us through several of the major changes headed our way:

  • Heightened penalties: Organizations that suffer repeated privacy breaches will face much steeper fines.
  • Mandatory breach reporting: More organizations will be required to report when data is compromised.
  • New individual rights: People will gain more control over their data, including correcting errors and challenging automated decisions made about them.
  • Regulation of AI-driven decisions: If a person is denied a loan or insurance because of an automated system, that process and its data will now fall under privacy law.

These changes modernize the law and signal a shift in expectations. Organizations will need to improve their privacy practices to ensure compliance with the new regulations.

The Cost of Doing Nothing

For too long, the economics of data protection have been upside down. Many organizations did the math and realized it was so much cheaper to just pay the penalty than actually implement the systems and processes to protect people’s personal information.

That kind of tradeoff only works when the penalties are weak and when public trust isn’t on the line. But both of those factors are experiencing a shift. Between the proposed legal updates and the increasing frequency of high-profile breaches, the cost of doing nothing is rising fast. When the breach hits your business, the reputational damage can dwarf the financial fine.  

While the changes to the Privacy Act present challenges, they are a necessary evolution in our increasingly data-driven world. By starting to prepare now, businesses of all sizes can position themselves to navigate these changes successfully, protecting both their interests and the privacy of their customers. 

Why Small Businesses Can’t Opt Out

There’s a dangerous assumption floating around that this overhaul is only a concern for large businesses. After all, most small enterprises (those earning under $3 million a year) haven’t previously fallen under the Privacy Act.

However, Anne makes it clear that it’s changing — if not immediately, then inevitably. “The recommendation on small business is still under consultation… but I personally think it’s just a transitional period. It will eventually occur,” she mentions.

The challenge, of course, is that many small business owners lack the resources, expertise, or time to get privacy compliance right. As Anne puts it, “Mom-and-Pop shops, who own the newsagents down the road, they’re not trying to be negligent. They just don’t necessarily have the skill set or capabilities.”

Fair enough, but that doesn’t mean they can ignore the risks. I love supporting local businesses; however, I don’t want to wonder whether my payment details or personal information are sitting unprotected on a back-office computer. Personal data, whether held by a bank or a bakery, is still personal data. The consequences are still real and consequential if that information is compromised.

Treating Data Like a High-Risk Asset

One of the biggest mindset shifts we discussed is the need to treat information as a high-risk asset. That means handling it with the same discipline you’d apply to financial records or intellectual property.

Here’s where many organizations – large and small – fall short. They collect too much data, keep it too long, and have no plans for disposal. That needs to change. You wouldn’t leave stacks of cash lying around your office. As such, you shouldnt leave unnecessary customer data sitting in unsecured systems either.

Why Is Data Minimization a Game-Changer?

If there’s one practical shift every business should make starting today, it’s this: stop hoarding data. By reducing the amount of personal data stored, businesses can significantly decrease their risk exposure and simplify compliance with the new regulations.

Too many organizations hang onto data “just in case.” But that habit introduces enormous risk. If you’re breached, every unnecessary record becomes a liability. And many of the worst breaches in recent years have been worsened by outdated data being held long after its use-by date.  

There are legal mechanisms that allow you to dispose of data safely and correctly. Use them.

Where Should You Start?

The first tranche of reforms is already in effect. Now is a good time to assess your readiness and prepare for the next wave of changes.  

Here’s what Anne recommends:

  1. Audit what you’re collecting. We often collect data out of habit, not strategy. Take the time to map it.
  2. Review your policies. Even if you’re a small business with no formal policy, a simple template is better than nothing
  3. Train your staff. Privacy isn’t just a technology issue; it’s a people issue. Every employee should know their role in protecting customer information.
  4. Update your tech. Outdated systems are often the weakest link.
  5. Prepare for breach reporting. Set up clear workflows and roles now. Don’t wait until you’re scrambling to respond.

Privacy Is a Business Issue

Privacy isn’t just an IT problem. It’s a leadership issue. It’s a brand issue. It’s a survival issue.

If your organization touches personal information – and let’s be honest, it does – you have a duty to manage that information responsibly, strategically, and proactively.

The businesses that take privacy seriously now won’t just avoid penalties. They’ll earn the trust that drives loyalty and long-term success.

This Is Just the Beginning

The Privacy Act overhaul is not the end of the story — it’s the beginning. It signals a new era where businesses will be held accountable for what they do with data and how they respect the people they belong to.

Start now. Audit your data. Tighten your policies. Educate your people. Above all, respect the power and responsibility of holding someone else’s information. Because the next time a breach makes headlines, no one’s going to ask if you’re compliant. They’ll be asking if you were responsible.  

Let’s stop treating privacy as an afterthought. Let’s lead with it.

Check out this episode and more here: The Tech Edge — Ticker

author

Alyssa Blackburn

Alyssa Blackburn is the Director of Records & Information Strategy at AvePoint, where she helps organisations achieve business value from their information. In her role, Alyssa provides records and information consulting services as well as system implementations, allowing customers to optimise the structure of their information to maximize business benefits while meeting data governance and compliance objectives. With 20 years of experience in the information management industry, Alyssa has worked with both public and private sector organisations to deliver guidance for information management success in the digital age. She is responsible for the development of AvePoint’s information management solution, and has been involved with implementing our records management solution with government agencies and commercial clients. Alyssa is actively involved in the information management industry and has spoken at a number of events including at Inforum 2016 in Perth. She has been published in the RIMPA IQ magazine and recently won the 2016 award article of the year for the RIMPA IQ magazine for her article titled, "Why you need to think differently about information management."
Data Privacy