Australian Privacy Principles: Where SMEs Actually Fail

The Australian Privacy Principles don't catch most businesses because of hackers. They catch them because someone emailed the wrong spreadsheet, or because nobody checked where the CRM actually stores its data. If you're running a business with 10 to 200 employees, the compliance gaps that will cost you are probably in two places: your vendor stack and your team's daily habits.

You likely already know the APPs exist. You might even have a privacy policy. But knowing the rules and actually following them are different things, and the gap tends to show up in the same spots.

Your SaaS Vendors Are an Australian Privacy Principles Problem

APP 8 says that if you send personal information overseas, you need to take reasonable steps to make sure the overseas recipient handles it consistently with the APPs. Most Australian SMEs use 10 to 30 SaaS tools. Almost all of them are hosted in the US.

Your CRM. Your email platform. Your project management tool. Your analytics. Your cloud storage. Every one of these touches customer data, and most of them move it outside Australia.

Here's what APP 8 actually requires you to do: confirm that each overseas vendor has privacy protections equivalent to the APPs, or get explicit consent from the individuals whose data you're transferring. In practice, this means reading your vendors' Data Processing Agreements. Not just accepting the terms of service.

Most SMEs have never done this. They signed up for the tool, imported their contacts, and moved on.

The fix isn't complicated. Build a register of every tool that touches personal information. For each one, note where it's hosted, whether it has a DPA, and whether that DPA covers the APP requirements. You can do this in a spreadsheet in a few hours. Start with your CRM and email platform because those hold the most personal data.

If a vendor can't show you adequate protections, you have two options: get consent from the people whose data is involved, or find a vendor that can.

Human Error Causes More Breaches Than Hackers Do

The OAIC's Notifiable Data Breaches reports consistently show the same pattern. Malicious attacks get the headlines, but human error accounts for roughly 30% of all reported breaches. And for SMEs, the proportion is often higher.

The common ones: sending an email to the wrong recipient. Attaching the wrong file. Misconfiguring sharing permissions on a cloud drive. Losing a laptop or USB drive with unencrypted data.

None of these require a sophisticated attacker. They require someone having a busy Tuesday.

APP 11 says you need to take "reasonable steps" to protect personal information. For an SME, reasonable steps against human error look like this:

Turn off link-sharing-by-default on cloud storage. Set external sharing to require a deliberate choice, not be the default. Review who has access to your customer database quarterly, not annually. Use email tools that warn before sending to external addresses. Encrypt laptops. All of them.

These are process fixes, not technology purchases. They cost almost nothing to implement. But they address the breach vector that actually hits businesses your size.

"Reasonable Steps" Scales With Your Business

APP 11's "reasonable steps" test is deliberately flexible. What's reasonable for a 15-person accounting firm is different from what's reasonable for a 150-person SaaS company.

But the OAIC has been clear about the baseline. If you're not doing the fundamentals, MFA on all accounts, access controls based on role, encryption for sensitive data, a patch management process, and a documented breach response plan, you'll struggle to argue you took reasonable steps.

If you're already working toward Essential Eight or ISO 27001, most of this is covered. The security controls you build for those frameworks map directly to what APP 11 expects. The gap is usually not technical. It's that nobody documented the process, nobody assigned ownership, and nobody reviews it.

A written information security policy doesn't need to be long. It needs to exist, be current, and describe what you actually do. Not what you aspire to do.

The 30-Day Clock Is Shorter Than You Think

When a breach happens, the Notifiable Data Breaches scheme gives you 30 days from when you become aware to complete your assessment. If the breach is likely to cause serious harm, you then need to notify the OAIC and affected individuals.

Thirty days sounds manageable until you realise you first need to figure out what data was involved, which usually means knowing what data you hold and where. If you don't have a data inventory, you spend the first two weeks just understanding the scope.

The businesses that handle breaches well are the ones that mapped their data before the breach happened. They know which systems hold personal information, who has access, and what the notification process looks like. They rehearsed it at least once.

The ones that handle it badly are the ones building the plane while it's on fire.

Focus on the Gaps That Actually Matter

You don't need to be perfect across all 13 APPs tomorrow. You need to close the gaps that cause real breaches at businesses your size.

Audit your vendor stack for APP 8 compliance. Fix the human error vectors with process changes. Document your APP 11 controls so they're defensible. And build your breach response plan before you need it.

The penalties since 2022 go up to $50 million for a body corporate. And since December 2024, individuals can now sue you directly in Federal Court for serious privacy invasions. The risk isn't theoretical. But the fixes, for most SMEs, are straightforward.