Skip to main content
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Notifiable Data Breaches

Notifiable Data Breach Obligations for Australian Businesses

The Notifiable Data Breaches scheme requires Australian businesses to assess and report eligible data breaches to the OAIC and affected individuals. Failure to comply is not just a regulatory risk — it is evidence that reasonable steps were not in place when they were needed most.

Start Compliance Now View Pricing
What the NDB scheme requires
1
Assess quickly You have 30 days to assess whether a suspected breach is likely to result in serious harm.
2
Notify if eligible If serious harm is likely, you must notify the OAIC and affected individuals.
3
Document everything Your response, timeline, and remedial actions become evidence of whether reasonable steps were taken.
The Reality

Most Businesses Are Not Prepared for a Notifiable Breach

Many Australian businesses know the NDB scheme exists but have not tested whether their team could respond within the required timeframes, or whether their documentation would withstand regulatory review.

What businesses often assume

  • A breach response plan exists somewhere in the policy folder
  • IT will handle it if something happens
  • Staff will know to escalate suspicious activity
  • Insurance will cover any regulatory fallout
  • Small businesses are unlikely to be investigated

What the NDB scheme actually requires

  • A documented response plan that staff have been made aware of
  • The ability to assess a suspected breach within 30 days
  • Clear escalation pathways from staff to decision-makers
  • Notification to the OAIC and affected individuals if the threshold is met
  • Evidence that the organisation took reasonable steps before and after the breach

Where Breach Preparedness Fails in Practice

The NDB scheme does not just assess what happened — it assesses what was in place before the breach occurred and how the organisation responded.

!

No documented plan

Without a breach response plan, the 30-day assessment window becomes chaotic. Decisions are reactive, not structured.

?

Staff cannot escalate

If staff do not know what constitutes a suspected breach or who to report it to, the assessment clock starts without anyone knowing.

No evidence trail

Regulators assess the organisation's response. Without documentation, there is no evidence that the response was timely or adequate.

×

Compliance gaps exposed

A breach investigation often reveals pre-existing compliance failures — untrained staff, missing certifications, and weak oversight.

Self-Assessment

Would your team know what to do if a breach occurred today?

Answer 10 questions to assess whether your business is taking reasonable steps — including breach preparedness.

Privacy Act Compliance Assessment

Are You Meeting Your Privacy Act Obligations?

The Privacy Act 1988 and APP 11 require organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. This assessment helps identify where your obligations may not be met.

Answer 10 questions to identify where your business may not be taking reasonable steps.

Step 1 of 3

Data & Handling

1. Does your business have a documented process for how personal information is collected, stored, and disposed of?

2. Have all staff who handle personal data completed cyber compliance obligations appropriate to their role?

3. Can you produce evidence of compliance if requested by an insurer, client, or regulator today?

Step 2 of 3

Processes & Evidence

4. Does your business have a documented data breach response plan that staff have been made aware of?

5. Are compliance certifications tracked with expiry dates and renewal processes?

6. Do managers and team leaders understand their oversight responsibilities for cyber compliance?

Step 3 of 3

Governance & Oversight

7. Has a director or senior leader reviewed the organisation's cyber compliance posture in the last 12 months?

8. Does your business differentiate compliance obligations by role (staff, managers, directors)?

9. Are third-party access and data sharing arrangements documented and reviewed?

10. Does your business review and update its compliance measures at least annually?

What Happens After a Notifiable Breach

The consequences of a notifiable breach extend beyond the breach itself. How your organisation responds — and what evidence it can produce — determines the regulatory and commercial outcome.

OAIC Investigation

The OAIC may investigate whether the organisation had reasonable steps in place before the breach. Compliance gaps discovered during investigation compound the original failure.

Insurance Implications

Cyber insurers assess whether the organisation met its obligations. A breach combined with poor compliance evidence can affect claim outcomes and future premiums.

Client and Commercial Impact

Affected individuals must be notified. Clients, partners, and stakeholders will ask what measures were in place. The absence of documented compliance is difficult to explain.

Evidence

What You Should Be Able to Demonstrate

If a breach occurs and the NDB scheme is triggered, your organisation should be able to produce evidence of the following.

Before the breach

  • Documented breach response plan
  • Staff awareness of escalation procedures
  • Role-based compliance coverage
  • Current certifications and completion records

During the response

  • Timeline of assessment activities
  • Records of who was involved in the response
  • Communication with affected individuals
  • OAIC notification (if threshold met)

After the breach

  • Remedial actions taken
  • Updated processes and controls
  • Evidence of ongoing compliance activity
  • Board or governance-level review

Related compliance resources

Be ready to prove it.

Compliance obligations do not wait for a breach. Insurers, regulators, and clients expect documented evidence of reasonable steps — not a promise that you are working on it. The cost of being unable to demonstrate compliance is measured in liability, not intent.

Get Started Book a Call
Cleverer Logo
Privacy Policy Terms Contact
© 2026 Cleverer. Human-layer cyber compliance for Australian business.