Regulation / Australia

NOTIFIABLE
DATA BREACHES

72-hour notification

Mandatory reporting of data breaches that are likely to result in serious harm. The NDB scheme requires you to detect, assess, and notify — typically inside a 72-hour window once an eligible breach is confirmed.

Book a Breach Readiness ReviewContact Us
Obligations

THE NDB LIFECYCLE

No. 01

Detect — know a breach has occurred

You can't notify what you can't see. Logging, monitoring, and anomaly detection are the foundation. Most organisations discover breaches days or weeks after they occur.

No. 02

Assess — within 30 days

Once aware of a suspected breach, entities have 30 days to assess whether it is an 'eligible data breach' likely to result in serious harm. Document the assessment.

No. 03

Notify — promptly

If the breach is eligible, notify affected individuals and the OAIC promptly — generally within 72 hours of confirming eligibility. Use the OAIC's notification form.

No. 04

Remediate and learn

Containment, remediation, and post-incident review. The OAIC expects evidence that the underlying cause has been addressed, not just the immediate incident.

Approach

HOW WE PREPARE YOU

Detection that actually fires

SIEM, EDR, and access-pattern anomaly detection deployed and tuned. Alerts that mean something — not noise that gets ignored until the OAIC writes asking why you didn't notice for six weeks.

Documented incident response

Written incident response plan with named roles, decision authority, and communication trees. Tested through tabletop exercises so the first time you use it isn't during a real breach.

Sovereign forensics

Logs and forensic artefacts retained on Australian sovereign infrastructure, accessible without foreign legal process. Material the OAIC and your insurer expect to see.

Notification-ready posture

Templates, decision trees, and communication frameworks pre-prepared. When notification time comes, you're not drafting fundamentals — you're executing a documented process.

Related

RELATED REGULATIONS

APP 11 - Security

Privacy Act 1988

Australian privacy principles require reasonable steps to protect personal information.

Comparable protection

International Transfers

Transferring data overseas requires ensuring recipient privacy protections.

Risk profile

Overseas Data Risks

Foreign jurisdiction, latency, vendor lock-in, and compliance gaps.

ARE YOU NDB-READY?

We assess detection coverage, response readiness, and your 72-hour clock.

Booking LinkContact Us
← Back to data sovereignty