Australia’s Data Privacy Laws: Necessary Hassle?

As data privacy legislation continues to develop, the Australian consumer is being both forced into data rights education, and gradually being worn down due to concern around the processing, management and security of their data.

The average cost of a data breach is set to increase in 2024 with the Australian governing bodies and compliance controllers introducing tougher data breach penalties in response to the devastation of the infamous Optus breach.

Optus estimates that the breach which occurred in September last year, impacted over 11 million Aussies! Up to 9.8 million Australians could have their data compromised and 2.8 million of those severely impacted.

The new legislation plans to increase the penalty for serious or repeated data privacy breaches is increasing to $50 million, or 30% of a company’s adjusted turnover in the relevant period, whichever is greater. This is significantly higher than the existing penalty amount of $2.22 million.

It would not be surprising to anyone that with these changes, the worry-ometer (which is our invented calculator for the level of worry faced by a party) has shifted from consumer to business. Now that businesses have so much to lose, there will likely be a paradigm shift. Here are the main reasons why.


Australian Businesses Must Report Data Breaches

Who is the worst kind of person? That guy who scrapes someone else’s car when he’s parking but drives off and doesn’t leave a note. Everyone hates that guy, right? Well, this is exactly the same.

When a business messes up, it’s only right and proper that they tell the people who are impacted.

Back in 2018, the Aussie government passed the Notifiable Data Breach (NDB) scheme which requires all business entities with an annual turnover of more than $3 million to report data breach events to both the individuals who have been impacted and the Office of the Australian Information Commissioner.

But, NDB scheme compliance is also mandatory for the following entities:


  • Health service providers
  • Credit reporting bodies
  • Credit providers that process credit eligibility information
  • Tax File Number (TFN) recipients
  • All entities regulated under the Privacy Act 1988

According to UpGuard, failure to comply with the NDB scheme breaches the Privacy act which could result in enforcement action. If your business falls into the above category, you need to get on it! We can help with compliance consultancy and securing your legacy data in a way that makes your attack surface smaller, but the onus is on you and your team to change their ways and get secure.


Trust & Reputation Are At Stake

Furthermore, on the NDB scheme, informing customers that their data has been breached could lead to a total loss in trust. Businesses seen to be dysfunctional, unsecure, or in a position where they are about to be hit with a hefty fine, risk a massive reputational hit as well. Why would a customer put their faith in an organisation that is about to be under financial strain, and isn’t competent at managing data…? Well, they wouldn’t, and they don’t. In fact, a Delinea (Previously Centrify) study found that 65% of data breach victims lost trust in the organisation as a result of the breach. One step further, 43% of Australians say that they will hesitate to do business with the breached entity for several months.

You’ve worked so hard to find, onboard and keep your customers happy. Don’t lose them now.


Ever-Evolving Compliance Criteria

About a year ago, PCI DSS v4.0 was officially released, and as a result, the criteria changed…again! Talk about moving the goal posts.

Organisations now have to execute security testing as a continuous process, rather than the snapshot of an organisation’s PCI DSS compliance – which used to be taken once a year as part of the annual compliance audit.

Quality Security Assessors now select samples over a period of time to prove maintained compliance. Essentially, you can no longer cram revision before the big day.

The authentication requirements have also been updated to reflect the best practice for password management, 2FA and MFA. Passwords now have to be longer and consist of at least twelve characters, constructed using a mixture of numbers and letters. MFA will imminently become mandatory for all accounts and systems that provide direct access to the card data environment.

One huge positive is that PCI DSS v4.0 supports the use of cloud technologies! 🎉 This includes cloud-based hosting services.


As data privacy standards are continuously evolving in Australia, regulators are encouraging organisations to ensure that they are free from sensitive data passing through their business. Where this cannot be avoided, it needs to be managed securely, and only by the people that need to be involved.

If you need a hand with customer data compliance – whether that be with legacy data management, PCI DSS criteria, or something else – please get in touch. We’d be happy to help!