Skip to main content
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Compliance Checklist

Cyber Compliance Checklist for Australian Businesses

The Privacy Act does not provide a checklist. It requires reasonable steps — and what counts as reasonable depends on your business, the data you hold, and the expectations of regulators, insurers, and clients. This page outlines the obligations most Australian businesses need to address and the evidence they need to produce.

Start Compliance Now View Pricing
What reasonable steps require
1
Proportionate to risk The steps must match the sensitivity and volume of personal information your business holds.
2
Documented and demonstrable Steps that are not documented cannot be demonstrated. Evidence is the foundation of defensibility.
3
Ongoing, not one-off Compliance is assessed at the point of challenge, not the point of implementation. It must be maintained.
The Gap

Why Most Businesses Cannot Complete This Checklist

Most Australian businesses have some compliance activity in place, but cannot demonstrate it in a structured, complete, or current way when the question is actually asked.

Where businesses commonly fail

  • Staff completed something once but records are lost or scattered
  • Certifications were issued but expiry is not tracked
  • A breach response plan exists but staff are unaware of it
  • Managers assume their team is compliant but cannot verify it
  • No governance-level review has been documented

What a complete checklist requires

  • Current, tracked compliance for every staff member
  • Role-based obligations — not one-size-fits-all
  • Active breach response preparedness
  • Manager oversight that is documented, not assumed
  • Director or governance-level review within 12 months

The Essential Compliance Checklist

These are the areas that regulators, insurers, and clients assess when they evaluate whether an Australian business has taken reasonable steps under the Privacy Act.

Staff obligations

  • All staff handling data have completed compliance
  • Obligations are role-appropriate
  • Completion is documented
  • New starters are covered on onboarding

Breach preparedness

  • Documented breach response plan
  • Staff know the escalation process
  • Assessment can happen within 30 days
  • OAIC notification pathway is understood

Governance & oversight

  • Managers can verify team compliance
  • Director or senior leader has reviewed posture
  • Oversight is documented with dates
  • Compliance is reported at governance level

Evidence & currency

  • Certifications issued and tracked
  • Expiry dates managed proactively
  • Reports available on demand
  • Evidence is current, not historical
Self-Assessment

How many items on this checklist can your business demonstrate today?

Answer 10 questions to assess where your business stands against the reasonable steps expected under the Privacy Act.

Compliance Self-Assessment

How Prepared Is Your Business?

The Privacy Act requires Australian businesses to take reasonable steps to protect personal information. This assessment helps you identify where your obligations may not be met and where your evidence may be insufficient.

Answer 10 questions to identify where your business may not be taking reasonable steps.

Step 1 of 3

Data & Handling

1. Does your business have a documented process for how personal information is collected, stored, and disposed of?

2. Have all staff who handle personal data completed cyber compliance obligations appropriate to their role?

3. Can you produce evidence of compliance if requested by an insurer, client, or regulator today?

Step 2 of 3

Processes & Evidence

4. Does your business have a documented data breach response plan that staff have been made aware of?

5. Are compliance certifications tracked with expiry dates and renewal processes?

6. Do managers and team leaders understand their oversight responsibilities for cyber compliance?

Step 3 of 3

Governance & Oversight

7. Has a director or senior leader reviewed the organisation's cyber compliance posture in the last 12 months?

8. Does your business differentiate compliance obligations by role (staff, managers, directors)?

9. Are third-party access and data sharing arrangements documented and reviewed?

10. Does your business review and update its compliance measures at least annually?

What Happens When the Checklist Has Gaps

Every unchecked item on this list represents a potential point of failure when your compliance is tested.

Regulatory exposure

The OAIC assesses reasonable steps based on what was in place, not what was planned. Each gap is evidence that a practicable step was not taken.

Insurance risk

Insurers ask specific questions about compliance at application and renewal. Gaps between your answers and your actual evidence create coverage risk.

Client confidence

Clients expect evidence of compliance, not a promise that you are working on it. Each gap weakens your position in due diligence and questionnaire responses.

If your business was reviewed today, would you be confident in your position?

Related compliance resources

Be ready to prove it.

Compliance obligations do not wait for a breach. Insurers, regulators, and clients expect documented evidence of reasonable steps — not a promise that you are working on it. The cost of being unable to demonstrate compliance is measured in liability, not intent.

Get Started Book a Call
Cleverer Logo
Privacy Policy Terms Contact
© 2026 Cleverer. Human-layer cyber compliance for Australian business.