Cybercraft

1 July 2026: The Privacy Act small business exemption ends. From this date, the Australian Privacy Principles apply to almost all Australian businesses — regardless of revenue.

← Getting Started Getting Started

The Privacy Act changes on 1 July 2026. Does it apply to you — and are you ready?

The small business exemption that kept most businesses outside Privacy Act obligations ends in three months. This readiness assessment tells you whether you're affected, where you stand against the 13 Australian Privacy Principles, and whether you have enough time to close the gaps before the deadline.

Check my Privacy Act readiness Fixed fee. Results in five to seven business days. No system access.
What brought you here?

Four situations that lead to this assessment

"I read about the Privacy Act changes and called my accountant. They said it probably applies to us and suggested we get advice."

The question is whether you're ready. This assessment gives you a factual answer.

"A client's updated supplier agreement has a new Privacy Act compliance clause. They want written confirmation."

A client asking is a hard deadline. The readiness assessment is the first step to providing that confirmation.

"A staff member sent customer data to the wrong recipient. No one knew what our reporting obligations were."

A near-miss surfaces the gaps. From 1 July 2026, those gaps carry formal obligations and potential penalties.

"Our cyber insurance renewal asked about our Privacy Act compliance posture and whether we have a Privacy Policy in place."

Insurers are pricing in privacy risk. Compliance is becoming a condition, not just a nice-to-have.

If you're currently exempt under the $3 million revenue threshold, that changes on 1 July. But many businesses — including those providing services to enterprise clients, handling any health information, or processing customer financial data — are already covered regardless of revenue.

Important — privacy and security are the same obligation

APP 11 requires reasonable security controls. A Privacy Policy without them is not compliant.

The Australian Privacy Principles include APP 11: the obligation to take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. This means access controls, encryption, and a documented breach response capability — not just a Privacy Policy on your website. CyberCraft assesses both sides of the obligation in one engagement, because they are inseparable.

The scope

Assessment against all 13 Australian Privacy Principles

Each principle is assessed as pass, partial, or fail. The APP 11 section includes the security controls crosswalk — so you see exactly where privacy compliance requires security work.

Collection and handling

  • APP 1 — Open and transparent management
  • APP 2 — Anonymity and pseudonymity options
  • APP 3 — Collection of solicited personal information
  • APP 4 — Unsolicited personal information handling
  • APP 5 — Notification of collection
  • APP 6 — Use or disclosure of personal information

Cross-border, quality, and security

  • APP 7 — Direct marketing
  • APP 8 — Cross-border disclosure
  • APP 9 — Government-related identifiers
  • APP 10 — Quality of personal information
  • APP 11 — Security of personal information ← security controls
  • APP 12 — Access to personal information
  • APP 13 — Correction of personal information
What you receive

Everything you need to know where you stand — and what to do next

📋

Privacy Act Readiness Report

Pass, partial, or fail against each of the 13 APPs, with the basis for each result and what would change it. Plain language throughout — no legal jargon.

🔗

Security Gap Crosswalk (APP 11)

The security controls required to fulfil your APP 11 obligations, mapped to your current security posture. This is the document that shows where privacy compliance and cyber security are the same work — and why both need to be addressed together.

📅

Timeline assessment

A plain-language view of whether the identified gaps are achievable before 1 July 2026, and what the critical path is. If there is not enough time to complete a full compliance sprint before the deadline, this report will tell you that — and what the most important things to close first are.

Priority action list

What to address first, in what order, for the best chance of compliance by the deadline. Sequenced by risk and dependency — not alphabetically.

📄

One-page executive summary

A plain-language summary suitable for the CEO, board, or a client requiring confirmation of compliance progress. Includes the timeline assessment.

📞

30-minute debrief call

Walk through findings, ask questions, and understand exactly what the compliance sprint involves from where you are now.

How it works

Questionnaire-based — no system access required

Book and pay — no call required

Use the pricing configurator below to get your fixed price and book directly.

30-minute kickoff call

We confirm scope and walk through the questionnaire so you know what to expect. Approximately one hour to complete at your own pace.

Questionnaire completion

Within 24 hours of kickoff, we send a structured questionnaire covering all 13 APPs — including the APP 11 security section. You complete it at your own pace. No system access, no credentials, no technical connection required.

Report and debrief delivered

Full report, security gap crosswalk, and timeline assessment delivered within five to seven business days of completed questionnaire. Debrief call included.

The deadline is real

Starting in May leaves insufficient time for the compliance sprint

The readiness assessment takes five to seven business days. The Privacy Act Compliance Sprint takes four to six weeks. A readiness assessment started in late May 2026 does not leave enough time to complete the sprint before the 1 July deadline.

The businesses that reach 1 July in the strongest position are the ones that start the readiness assessment now — not the ones that wait until the deadline is visible on the calendar.

Ready to find out where you stand? The readiness assessment takes less than two weeks. Start my Privacy Act readiness check
Get your price

Fixed fee, tiered by risk profile

Privacy Act Readiness — Pricing Configurator

Three questions. Fixed price displayed immediately.

$890 — within 7 business days
↳ Pricing configurator coming soon. Contact us to get your fixed price now.
Where to next

Readiness flows directly into the compliance sprint

In a Box

Privacy Act Compliance Sprint

The readiness report is the intake document. Four to six weeks. Fixed fee. Gaps identified in the assessment become the sprint workstreams — no duplication of effort.

Privacy Act Compliance Sprint →
Getting Started

Security Health Check

APP 11 gaps that require security work? The Security Health Check gives you the independent external view of what's exposed — which directly informs the security side of compliance.

Security Health Check →
In a Box

Policy & Procedure Documentation

No Privacy Policy, data handling procedure, or breach response plan? This fills the documentation gap — and it can run in parallel with the compliance sprint.

Policy & Procedures →

1 July 2026 is less than three months away. Starting now gives you options. Starting in June doesn't.

Check my Privacy Act readiness — now

Five to seven business days. Fixed fee. A clear answer and a clear path forward.

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.