If you’re running an eCommerce business, or if your business securely stores information online, it’s more important than ever to know the legals around data privacy and IP protection. The digital landscape has evolved considerably by 2025, with stricter regulatory requirements and more sophisticated cyber threats. Even when you take the right steps to safeguard your data, some breaches may still occur due to factors beyond your control.

So, your business should be well-prepared for these unwanted situations.

One key term to be aware of is a Notifiable Data Breach, whose implications have become even more significant in 2025.

Notifiable Data Breaches occur when a data breach is likely to cause ‘serious harm’, and in such cases your business is under an obligation to notify those who are likely to be affected.

This generally applies to businesses to which the Privacy Act 1988 applies (typically those with an annual turnover exceeding $3 million, and now updated to reflect the latest 2025 amendments).

Let’s go into a little more detail about what this means for your online business.

What Is The Notifiable Data Breaches Scheme?

The Notifiable Data Breaches Scheme requires that any organisation covered by the Privacy Act must inform both affected individuals and the OAIC when a data breach occurs that is likely to result in serious harm.

This usually applies where the breach involves personal or sensitive information – for example, customers’ names, contact details, or financial information.

What Is Considered ‘Serious Harm’?

‘Serious harm’ is a broad concept. According to the OAIC, it can include situations such as:

  • Identity theft (which may involve financial data)
  • Financial loss through fraud
  • Risk of physical harm
  • Risk of severe psychological distress
  • Serious harm to an individual’s reputation

The OAIC also specifies that organisations have 30 days from the point of discovering a breach to assess whether it is likely to result in serious harm.

There Has Been A Data Breach – What Do I Do?

Let’s say your business has experienced a data breach – but don’t panic! What’s important is taking immediate and proper steps to notify the affected parties.

First, you need to notify the OAIC. They provide an online form specifically for reporting data breaches.

Then, you must notify any individuals who might suffer ‘serious harm’ as a result of this breach.

How Do I Notify Individuals About A Data Breach?

When notifying individuals (including any affected third parties or customers), you may want to contact them via email, text message, or phone call. Ensure your notification includes details such as:

  • Your organisation’s name and contact information
  • The specific personal information that was breached
  • A clear description of the breach
  • Practical steps they can take in response (this should be part of your Data Breach Response Plan)

Generally, there are three options when notifying affected parties:

  1. Notify all affected individuals
  2. Notify only those at risk of serious harm
  3. If individual notifications are not feasible, issue a public statement on behalf of your business

How Do I Respond To A Data Breach?

It’s crucial for businesses to take proactive measures to mitigate risks, even though some data breaches may still occur unexpectedly. While nothing is completely foolproof, having the right policies in place can streamline your response and help minimise damage.

This is why having robust procedures from the outset is essential – so that when complications arise, you have a clear process to follow that minimises potential damage and loss.

Data Breach Response Plan

If the Privacy Act applies to your business, it’s essential that you have a comprehensive Data Breach Response Plan in place. This document should clearly outline the roles and responsibilities of all parties involved when a breach occurs.

The plan should be easily accessible to your staff and regularly reviewed to ensure it remains up-to-date with the latest regulatory requirements and technological changes.

In simple terms, a Data Breach Response Plan sets out your organisation’s process for handling a breach – for example, identifying who is responsible for containing the breach, the procedure for notifying affected individuals, and the protocol for informing the OAIC.

What Are The Civil Penalties For A Data Breach?

If your business suffers a data breach and fails to comply with the notification requirements, you could face fines of up to $2.3 million (reflecting updated penalties in 2025) in addition to potential compensation payments to affected individuals.

Moreover, a data breach can erode customer trust – rebuilding a strong, transparent relationship with your clientele can be extremely challenging once that trust is lost. This underscores why being proactive about data protection is critical.

How Can I Protect My Data And IP?

We’ve discussed how to respond to a breach, but preventing one is always preferable. Investing in a robust cyber security system is essential to minimise risks from the outset. Consider the following steps:

  • Regularly update your systems – this includes changing passwords and enhancing your authentication processes
  • Monitor staff and contractor access to your systems and data constantly
  • Develop a strong Cyber Security System that is compliant with the latest industry standards
  • Include robust Non-Compete and Confidentiality Clauses in your contracts
  • Conduct regular employee training on cyber security and your data protection policies
  • Periodically review and update your privacy policy to remain compliant with the updated Australian Privacy Principles

For more detailed advice on protecting your intellectual property, check out our guide on Trade Marks – What And Why?

Keeping up-to-date with regulatory changes and emerging cyber threats in 2025 is critical. Regular training sessions and frequent audits will help you maintain a proactive approach to data protection. You might also find our Online Business Privacy Guide and Intellectual Property Guide valuable for additional insights.

Need Help With A Data Breach Notification?

If your business has experienced a data breach and you need to notify the relevant parties, Sprintlaw’s team of experienced lawyers is ready to help you draft a compliant data breach notification. Our experts will ensure your notification details are accurate, clear, and tailored to the specifics of your breach – all in line with the updated legal requirements of 2025.

You can reach out to us for a free, no-obligation chat at team@sprintlaw.com.au or call us on 1800 730 617.

Rowan Gardoce
Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses

Meet Our Lawyers for Data & Privacy

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is hidden when viewing the form
  • This field is for validation purposes and should be left unchanged.

Related Services

Data Breach Notification

Make sure your business is ready to respond to a data breach.
Learn More

Data Breach Response Plan

Equip yourself to deal with data breaches.
Learn More

Data & Privacy Lawyers

Specialist data & privacy lawyers
Learn More

Online Data & Privacy Lawyers

Get expert help from our online data & privacy lawyers
Learn More

Data Processing Agreement

Get legal help for your Data Processing Agreement
Learn More
Related Articles
What Is a Company Resolution? A Guide for Australian Businesses
Posted 12th July, 2025
What Does ‘Proprietary’ Mean? Understanding Proprietary Companies for Your Business Structure
Posted 12th July, 2025
Understanding Merchant Account Agreements: What Australian Businesses Need to Know
Posted 11th July, 2025
STSOL: What Australian Employers and Businesses Need to Know About Skilled Occupation Lists
Posted 11th July, 2025
Is a Separate Business Bank Account Legally Required for Your Company?
Posted 11th July, 2025
Legal Essentials for Online Marketing and Advertising Agreements in Australia
Posted 11th July, 2025