Cybercraft
← Back to In a Box services ⚠ Deadline: 1 July 2026

The small business exemption ends on 1 July 2026. Are you ready?

From 1 July 2026, the Privacy Act 1988 small business exemption is removed. If you hold personal information about customers, employees, or contractors, you now have obligations — regardless of your turnover. This service gets you compliant before the deadline.

What's changing

📅
1 July 2026 — exemption removed

Businesses previously exempt under the small business turnover threshold will have full obligations under the Privacy Act 1988, including mandatory data breach notification and the Australian Privacy Principles.

Most Australian small businesses have never had to think about privacy law compliance. From 1 July 2026 that changes. The Privacy Act applies to any business that holds personal information — customer records, employee files, client contact details, payment history, health information — and the obligations are real.

This service gets you compliant within a 4–6 week sprint. We assess what personal information you hold, how you collect and store it, and what obligations apply — then build the policies, notices, and processes you need. No ambiguity. No templates dropped in without context.

Deliverables

  • Personal information audit — what you hold, where it lives, and how it flows
  • Privacy Policy (Australian Privacy Principles compliant)
  • Privacy Notice for your website and customer-facing forms
  • Data register mapping personal information types and storage locations
  • Data breach response procedure (mandatory notification obligations)
  • Staff handling guidelines — practical guidance for day-to-day operations
  • Review schedule and maintenance checklist

Business benefits

  • Compliant before the 1 July 2026 deadline — no last-minute scramble
  • Avoid regulatory penalties and reputational damage from a breach or complaint
  • Builds customer and client trust — privacy compliance is becoming a differentiator
  • Satisfies privacy questionnaire requirements from enterprise clients and government
  • Foundation for GDPR readiness if you handle EU personal data

Engagement process

Information auditWe map the personal information your business collects, holds, uses, and discloses — customers, employees, contractors, and third parties.
Obligations reviewWe identify which Australian Privacy Principles apply to your specific operations and what each requires from you.
Policy draftingPrivacy Policy and Notice drafted to reflect your actual data practices — not generic boilerplate that doesn't match what you actually do.
Process designData breach response procedure, access and correction processes, and staff handling guidelines — practical workflows your team can follow.
Delivery and reviewAll documents delivered with a walkthrough, implementation guidance, and a review schedule to keep them current as your business evolves.
Start the sprint now

Where to next?

📄
Policy & Procedures Expand beyond Privacy Policy to a full security policy suite.
🔒
Privacy Framework Ongoing PIAs and Privacy Officer support once the sprint is done.
📋
ISO 27701 For organisations that need internationally recognised privacy certification.

See how this fits: Privacy Act deadline path

1 July 2026 is closer than it looks — and the 4–6 week sprint has to start somewhere

The sooner you start, the more options you have. Leaving it to May or June means a rushed engagement and less time to get it right.

Beat the deadline

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.