Privacy Act 2025: What Australian SMBs Need to Know Right Now

The game has changed. On June 1, 2025, the Privacy Act reforms took effect — and if you're an Australian business storing customer data in Microsoft 365, you need to understand what this means for you.

What Changed?

The most significant change: the $3M annual turnover exemption was removed.

Previously, small businesses with annual turnover under $3M were exempt from most Privacy Act obligations. That exemption is gone. Now, if you handle personal information in the course of business, you're covered — regardless of your size or revenue.

This affects you if:
  • You store customer emails, phone numbers, or addresses in M365
  • You're a professional services firm (legal, accounting, medical, financial planning)
  • You're in real estate, recruitment, education, or any client-facing business
  • Basically: if you have client data in Microsoft 365, you're now covered

What Are Your New Obligations?

1. Mandatory Breach Notification

If you experience a data breach involving personal information, you must:

Here's the problem: most SMBs we assess can't do any of this.

Why? Because they don't have:

2. "Reasonable Steps" to Protect Data

You must take "reasonable steps" to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure.

What counts as "reasonable"? The OAIC looks at:

Good news: You don't need enterprise-grade security. But you DO need basic controls like MFA, proper access management, audit logging, and documented policies. These are all configurable in M365 — most businesses just haven't done it.

3. Privacy Policy Requirements

You need a clear, up-to-date privacy policy that explains:

Having a generic privacy policy template from 2018 doesn't cut it anymore. It needs to accurately reflect your actual M365 data handling practices.

What Happens If You Don't Comply?

The penalties got steeper:

Real scenario: A small accounting firm experiences a breach but doesn't have audit logging enabled. They can't determine what data was accessed, so they're forced to notify ALL clients (not just affected ones). The OAIC investigation finds they had no MFA, no backup, and hadn't updated their privacy policy in 5 years. Result: $50,000 fine + loss of 15 clients + 18 months rebuilding reputation.

What You Need to Do Now

Step 1: Know Where Your Data Lives

Map where personal information is stored in your M365 environment:

Step 2: Implement Basic Security Controls

The minimum you need:

Step 3: Document Your Controls

If the OAIC investigates a breach, they'll ask: "What steps did you take to protect this data?"

You need documentation showing:

Step 4: Update Your Privacy Policy

Make sure your privacy policy reflects your actual M365 environment:

How CyberChex Can Help

Privacy Act compliance is a whole-of-business obligation, but a large share of breach risk lives in your Microsoft 365 environment — weak MFA, over-shared data, and gaps in breach detection and logging. Our M365 security assessment gives you an evidence-based picture of those controls so you can strengthen the technical side of breach readiness.

Understand Your M365 Breach Exposure

Get a clear picture of your Microsoft 365 security posture and where to act first.

Book M365 Assessment - From $499 + GST

The Bottom Line

The Privacy Act 2025 reforms aren't optional. If you handle personal information in M365, you now have clear legal obligations — and penalties for non-compliance.

The good news? Most of what you need is already built into M365. You just need to configure it properly and document it.

Start now. Don't wait for a breach notification to discover your gaps.

← Back to Blog